Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
Analysis ID:	1427767
MD5:	8745c960022bcefff65c91a47374a169
SHA1:	e503dd1b85b17ba61e468890d11f3259e9437b72
SHA256:	8fd4a4dcbe8b649c8c8cec213352c6da213caaefffc76450efee498e51f63cda
Tags:	exe
Infos:

Detection

Score:	32
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	35
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Deletes itself after installation

Enables network access during safeboot for specific services

Found string related to ransomware

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Abnormal high CPU Usage

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to delete services

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample searches for specific file, try point organization specific fake files to the analysis machine

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe (PID: 3624 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe" MD5: 8745C960022BCEFFF65C91A47374A169)

TMLauncher.exe (PID: 7312 cmdline: "C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe" MD5: 8FCA72C59D3A9AA6EDA33C64DAA0296D)

TurboMeeting.exe (PID: 7452 cmdline: "C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe" --program C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt MD5: D973EE70262ADF0A3D8AC412964517F9)

TurboMeeting.exe (PID: 7612 cmdline: TurboMeeting.exe --MagDetect MD5: D973EE70262ADF0A3D8AC412964517F9)

TurboMeeting.exe (PID: 7780 cmdline: TurboMeeting.exe --VSEDetect MD5: D973EE70262ADF0A3D8AC412964517F9)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Virustotal: Detection: 8%

Perma Link

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMDownloader.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Sss.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMLauncher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarterXP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\InstallService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMRemover.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMLauncher.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMDownloader.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Sss.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMLauncher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarterXP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\InstallService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMRemover.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	EXE: C:\Users\user\AppData\Roaming\TurboMeeting\TMLauncher.exe	Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates a software uninstall entry

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TurboMeeting

Jump to behavior

Creates install or setup log file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user~1\AppData\Local\Temp\TMSetup.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user~1\AppData\Local\Temp\TMInstaller.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\setup_status.txt	Jump to behavior

PE / OLE file has a valid certificate

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 8.18.62.6:443 -> 192.168.2.7:49706 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\RHUB2\PCSetup\Release.V2017\PCSetup.pdb source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308753930.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMResource\Release.V2017\TMResource.pdb source: TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCInstaller\Release.V2017\PCInstaller.pdb source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000000.1422829262.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCUninstaller\Release.V2017\PCUninstaller.pdb@ source: TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\MyHookDll\Release.V2017\MyHookDll.pdb source: TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\dev\work\rhub\Code\SendSAS\release\SendSAS.pdb source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\vistafunc\Release.V2017\vistafunc.pdb source: TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000002.3778188999.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp, TurboMeeting.exe, 00000008.00000002.1527616968.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp, TurboMeeting.exe, 0000000B.00000002.1574382545.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\RHUB2\Code\PCUninstaller\Release.V2017\PCUninstaller.pdb source: TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMService\Release.V2017\TMService.pdb source: TMLauncher.exe, 00000004.00000003.1471373053.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMService\Release.V2017\TMService.pdbM source: TMLauncher.exe, 00000004.00000003.1471373053.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCGUI5\Release.V2017\TurboMeeting.pdb source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp

Spreading

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E14130 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,	0_2_00E14130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E63648 FindFirstFileExW,	0_2_00E63648
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E338A9 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	0_2_00E338A9
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB4100 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,	4_2_00CB4100
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB1F00 GetFileAttributesW,CreateDirectoryW,WSAGetLastError,FindFirstFileW,GetLastError,FormatMessageW,FindNextFileW,SetFileAttributesW,CopyFileW,GetLastError,FormatMessageW,FindNextFileW,FindClose,	4_2_00CB1F00
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC9155 SetLastError,FindFirstFileW,GetLastError,	4_2_00CC9155
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC929D GetModuleHandleW,GetProcAddress,FindFirstFileW,	4_2_00CC929D
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CD9D08 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	4_2_00CD9D08
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CFDEE5 FindFirstFileExW,	4_2_00CFDEE5
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC354E6 FindFirstFileExW,	6_2_6EC354E6

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml	Jump to behavior

Networking

Enables network access during safeboot for specific services

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

Registry value created: NULL Service

Jump to behavior

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E72440 InternetSetOptionA,InternetSetOptionA,InternetOpenA,InternetSetOptionA,WSAGetLastError,InternetSetOptionA,WSAGetLastError,InternetSetOptionA,WSAGetLastError,InternetConnectA,WSAGetLastError,HttpOpenRequestA,WSAGetLastError,InternetReadFile,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,InternetReadFile,HttpSendRequestA,WSAGetLastError,HttpQueryInfoA,WSAGetLastError,InternetReadFile,GetDesktopWindow,InternetErrorDlg,WSAGetLastError,InternetReadFile,WSAGetLastError,InternetReadFileExA,WSAGetLastError,_strstr,WSAGetLastError,

0_2_00E72440

Source: global traffic	HTTP traffic detected: GET /as/wapi/get_client_size?client_type=0&xml_format=Y&client=pc&myrand11262017=fsOpyNl7RRDmyVQ8cYMYTocPl4347283&rdm=1713420883 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: support.lockwoodbroadcast.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /as/wapi/get_client?client_type=0&client=pc&myrand11262017=1s4z4AVItfvg3fyyYjjDdD6L2c347284&rdm=1713420884 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: support.lockwoodbroadcast.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: support.lockwoodbroadcast.com

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308753930.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000000.1422829262.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s%shttp://%shttps://%s%shttps://%shttp://%s:%d%shttp://%s:%drhubcom.comgomeetnow.com.turbome
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s%shttps://%s%shttp://%s:%d%shttp://%s:%drhubcom.comgomeetnow.com.turbomeet.comgosupportnow.
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s/forumpost.php?euid=%s&cuid=%s&first_name=%s&last_name=%s&from_server_ip=%s&timer_id=%s
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s/forumpost.php?euid=%s&cuid=%s&first_name=%s&last_name=%s&from_server_ip=%s&timer_id=%sPMai
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s:%d/MeetingRegistration/user/update-meeting-info.php?sp=%s
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://%s:%d/MeetingRegistration/user/update-meeting-info.php?sp=%ssURL
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://https://https://%shttp://%sPCGUI.CInviteAttendee_::OnInitDialog.JoinMessage2PCGUI.CInviteAtte
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://th.symcb.com/th.crl0
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://th.symcb.com/th.crt0
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://th.symcd.com0&
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://tools.ietf.org/html/draft-ietf-avtext-framemarking-07
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: TurboMeeting.exe, 0000000B.00000002.1573799950.000000001089C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rhubcom.
Source: TurboMeeting.exe, 0000000B.00000002.1573799950.0000000010859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rhubcom.com
Source: TurboMeeting.exe, 00000006.00000000.1496181175.0000000001A8A000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1525335027.0000000001A8A000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1555133297.0000000001A8A000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.rhubcom.com.T
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rhubcom.com0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000000.1422829262.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.rhubcom.comRHUB
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
Source: TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00http://www.webrtc.org/experi
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
Source: TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://compose.mail.yahoo.com/?To=&Subj=
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to&su=
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to&su=https://compose.mail.yahoo.com/?To=&Subj=(
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0C
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://streams.videolan.org/upload/
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476645003.00000000004E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.lockwoodbroadcast.com/
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1477353524.00000000044D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476116809.0000000000522000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476116809.000000000052B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476684834.0000000000522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.lockwoodbroadcast.com/as/wapi/get_client?client_type=0&client=pc&myrand11262017=1s4z
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476645003.0000000000513000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.lockwoodbroadcast.com/as/wapi/get_client_size?client_type=0&xml_format=Y&client=pc&m
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.google.com/calendar/render?action=TEMPLATE&text=

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 8.18.62.6:443 -> 192.168.2.7:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E218C5 GetKeyState,GetKeyState,GetKeyState,SendMessageW,		0_2_00E218C5
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CD03AF GetKeyState,GetKeyState,GetKeyState,SendMessageW,		4_2_00CD03AF

Spam, unwanted Advertisements and Ransom Demands

Found string related to ransomware

Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y
Source: TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: /as/wapi/login?XMLHTTPRequest=Y&Email=%s&Password=%s&RememberMe=%s&Version=%s&pass_through=%s&employee_uid=%s&run_service=%s&os_version=%d&os_description=%s&encrypted=Y

System Summary

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

Process Stats: CPU usage > 49%

Contains functionality to delete services

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

Code function: 4_2_00CA5C10 GetActiveWindow,MessageBoxW,Sleep,OpenSCManagerW,OpenServiceW,ControlService,Sleep,DeleteService,Sleep,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,WSAGetLastError,CloseServiceHandle,CloseServiceHandle,WSAGetLastError,

4_2_00CA5C10

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4CDF6	0_2_00E4CDF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E70F20	0_2_00E70F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E48099	0_2_00E48099
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E48343	0_2_00E48343
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E70330	0_2_00E70330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E105F0	0_2_00E105F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E70620	0_2_00E70620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4860A	0_2_00E4860A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E488C5	0_2_00E488C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E3C8D5	0_2_00E3C8D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6A8B6	0_2_00E6A8B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6A9DF	0_2_00E6A9DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E70AE0	0_2_00E70AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E06C90	0_2_00E06C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E68E8F	0_2_00E68E8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E10FD0	0_2_00E10FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4D026	0_2_00E4D026
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6D010	0_2_00E6D010
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4D256	0_2_00E4D256
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4D4C0	0_2_00E4D4C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E37463	0_2_00E37463
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E71660	0_2_00E71660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6D7B0	0_2_00E6D7B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E478D0	0_2_00E478D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E5182F	0_2_00E5182F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E679B9	0_2_00E679B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E5BA03	0_2_00E5BA03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E51B86	0_2_00E51B86
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E53B80	0_2_00E53B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E6FC10	0_2_00E6FC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E47D27	0_2_00E47D27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E1BF40	0_2_00E1BF40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E45F4A	0_2_00E45F4A
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE71E4	4_2_00CE71E4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CF60D8	4_2_00CF60D8
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2130	4_2_00CE2130
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D02269	4_2_00D02269
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CA8350	4_2_00CA8350
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2377	4_2_00CE2377
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE0330	4_2_00CE0330
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC6440	4_2_00CC6440
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D08580	4_2_00D08580
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE26E9	4_2_00CE26E9
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CA6660	4_2_00CA6660
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB08E5	4_2_00CB08E5
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D0A9E0	4_2_00D0A9E0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2993	4_2_00CE2993
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB2CC0	4_2_00CB2CC0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2C5A	4_2_00CE2C5A
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE2F15	4_2_00CE2F15
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CAD070	4_2_00CAD070
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D0B100	4_2_00D0B100
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB1257	4_2_00CB1257
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB122C	4_2_00CB122C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CED3C0	4_2_00CED3C0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D0B3F0	4_2_00D0B3F0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB14D0	4_2_00CB14D0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D054F4	4_2_00D054F4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CEB45F	4_2_00CEB45F
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE7416	4_2_00CE7416
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE7648	4_2_00CE7648
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D05614	4_2_00D05614
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D0B8B0	4_2_00D0B8B0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE78A5	4_2_00CE78A5
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D03BBF	4_2_00D03BBF
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00D07DE0	4_2_00D07DE0
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CFFFCC	4_2_00CFFFCC
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC3B4B1	6_2_6EC3B4B1

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CDEBDC appears 84 times
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CA6620 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CA6260 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CAF930 appears 325 times
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: String function: 00CDECC0 appears 68 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E07CD0 appears 68 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E01D51 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E441EB appears 34 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E44180 appears 115 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E44880 appears 67 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: String function: 00E0EEE0 appears 246 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308827291.0000000000EB4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMeetingStarter.exe@ vs SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMeetingStarter.exe@ vs SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus32.rans.winEXE@9/98@2/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E14130 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,

0_2_00E14130

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E14F80 GetLastError,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,CloseHandle,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,ImpersonateSelf,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcess,_strstr,TerminateProcess,CloseHandle,GetLastError,GetLastError,Process32NextW,CloseHandle,		0_2_00E14F80
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB5020 GetLastError,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,CloseHandle,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,ImpersonateSelf,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcess,_strstr,TerminateProcess,FindCloseChangeNotification,GetLastError,GetLastError,Process32NextW,FindCloseChangeNotification,		4_2_00CB5020

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E14F80 GetLastError,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,CloseHandle,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,ImpersonateSelf,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcess,_strstr,TerminateProcess,CloseHandle,GetLastError,GetLastError,Process32NextW,CloseHandle,

0_2_00E14F80

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E2E860 CoInitialize,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,

0_2_00E2E860

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E2B751 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3_catch,FindResourceW,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,

0_2_00E2B751

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

File created: C:\Users\user\AppData\Roaming\TurboMeeting

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

Mutant created: \Sessions\1\BaseNamedObjects\TMCacheFileMutex

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

File created: C:\Users\user~1\AppData\Local\Temp\TMSetup.txt

Jump to behavior

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Virustotal: Detection: 8%

Source: TMLauncher.exe

String found in binary or memory: --installprinter

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe "C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe"
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe "C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe" --program C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe TurboMeeting.exe --MagDetect
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe TurboMeeting.exe --VSEDetect
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe "C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe "C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe" --program C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe TurboMeeting.exe --MagDetect	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe TurboMeeting.exe --VSEDetect	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vdmdbg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vistafunc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vdmdbg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vistafunc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vdmdbg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: vistafunc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Section loaded: winsta.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: TurboMeeting.lnk.6.dr	LNK file: ..\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
Source: TurboMeeting Start Meeting.lnk.6.dr	LNK file: ..\..\..\..\..\TurboMeeting\TurboMeeting\TurboMeeting.exe
Source: TurboMeeting Uninstall.lnk.6.dr	LNK file: ..\..\..\..\..\TurboMeeting\TMRemover.exe

Tries to open an application configuration file (.cfg)

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

File opened: C:\Users\user\Desktop\starter.cfg

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Automated click: Continue

Uses Rich Edit Controls

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Creates a software uninstall entry

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TurboMeeting

Jump to behavior

PE / OLE file has a valid certificate

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: certificate valid

PE file contains a mix of data directories often seen in goodware

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\RHUB2\PCSetup\Release.V2017\PCSetup.pdb source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308753930.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMResource\Release.V2017\TMResource.pdb source: TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCInstaller\Release.V2017\PCInstaller.pdb source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000000.1422829262.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCUninstaller\Release.V2017\PCUninstaller.pdb@ source: TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\MyHookDll\Release.V2017\MyHookDll.pdb source: TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\dev\work\rhub\Code\SendSAS\release\SendSAS.pdb source: TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\vistafunc\Release.V2017\vistafunc.pdb source: TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000002.3778188999.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp, TurboMeeting.exe, 00000008.00000002.1527616968.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp, TurboMeeting.exe, 0000000B.00000002.1574382545.000000006EC3D000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\RHUB2\Code\PCUninstaller\Release.V2017\PCUninstaller.pdb source: TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMService\Release.V2017\TMService.pdb source: TMLauncher.exe, 00000004.00000003.1471373053.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\TMService\Release.V2017\TMService.pdbM source: TMLauncher.exe, 00000004.00000003.1471373053.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\RHUB2\Code\PCGUI5\Release.V2017\TurboMeeting.pdb source: TurboMeeting.exe, 00000006.00000002.3776134929.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.0000000001889000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001889000.00000002.00000001.01000000.00000009.sdmp

PE file contains a valid data directory to section mapping

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

PE file contains an invalid checksum

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Static PE information: real checksum: 0xca6f3 should be: 0xcb5fb

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Static PE information: section name: _RDATA
Source: dbghelp.dll.0.dr	Static PE information: section name: .didat
Source: InstallService.exe.0.dr	Static PE information: section name: _RDATA
Source: PCStarter.exe.0.dr	Static PE information: section name: _RDATA
Source: PCStarterXP.exe.0.dr	Static PE information: section name: _RDATA
Source: TMDownloader.exe.0.dr	Static PE information: section name: _RDATA
Source: TMInstaller.exe.0.dr	Static PE information: section name: _RDATA
Source: TMRemover.exe.0.dr	Static PE information: section name: _RDATA
Source: TMService.exe.0.dr	Static PE information: section name: _RDATA
Source: TurboMeeting.dll.0.dr	Static PE information: section name: .HookSha
Source: TurboMeeting.exe.0.dr	Static PE information: section name: .rodata
Source: TurboMeeting.exe.0.dr	Static PE information: section name: _RDATA
Source: TMLauncher.exe.0.dr	Static PE information: section name: _RDATA
Source: TMRemover.exe.4.dr	Static PE information: section name: _RDATA
Source: TMInstaller.exe.4.dr	Static PE information: section name: _RDATA
Source: TMLauncher.exe.4.dr	Static PE information: section name: _RDATA
Source: dbghelp.dll.4.dr	Static PE information: section name: .didat
Source: InstallService.exe.4.dr	Static PE information: section name: _RDATA
Source: PCStarter.exe.4.dr	Static PE information: section name: _RDATA
Source: PCStarterXP.exe.4.dr	Static PE information: section name: _RDATA
Source: TMDownloader.exe.4.dr	Static PE information: section name: _RDATA
Source: TMInstaller.exe0.4.dr	Static PE information: section name: _RDATA
Source: TMLauncher.exe0.4.dr	Static PE information: section name: _RDATA
Source: TMRemover.exe0.4.dr	Static PE information: section name: _RDATA
Source: TMService.exe.4.dr	Static PE information: section name: _RDATA
Source: TurboMeeting.dll.4.dr	Static PE information: section name: .HookSha
Source: TurboMeeting.exe.4.dr	Static PE information: section name: .rodata
Source: TurboMeeting.exe.4.dr	Static PE information: section name: _RDATA
Source: PCStarter.exe0.4.dr	Static PE information: section name: _RDATA
Source: TM1713420902.dll.6.dr	Static PE information: section name: .HookSha
Source: TM1713420903.dll.8.dr	Static PE information: section name: .HookSha
Source: TM1713420905.dll.11.dr	Static PE information: section name: .HookSha

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E44149 push ecx; ret	0_2_00E4415C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E448C6 push ecx; ret	0_2_00E448D9
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC0FE pushad ; ret	4_2_00CBC0FF
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE0AB pushad ; ret	4_2_00CBE0AC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC0A6 pushad ; ret	4_2_00CBC0A7
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC04E pushad ; ret	4_2_00CBC04F
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE041 push dword ptr [ebx+60858D01h]; ret	4_2_00CBE054
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE15B pushad ; ret	4_2_00CBE15C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC156 pushad ; ret	4_2_00CBC157
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE103 pushad ; ret	4_2_00CBE104
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC2D6 pushad ; ret	4_2_00CBC2D7
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE2BB pushad ; ret	4_2_00CBE2BC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE263 pushad ; ret	4_2_00CBE264
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE20B pushad ; ret	4_2_00CBE20C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC216 pushad ; ret	4_2_00CBC217
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC3EB pushad ; ret	4_2_00CBC3EC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE3B3 push dword ptr [ebx+60858D01h]; ret	4_2_00CBE3C4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE310 pushad ; ret	4_2_00CBE31A
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC32E pushad ; ret	4_2_00CBC32F
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC4F3 pushad ; ret	4_2_00CBC4F4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC49B pushad ; ret	4_2_00CBC49C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC443 pushad ; ret	4_2_00CBC444
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE463 push dword ptr [ebx+60858D01h]; ret	4_2_00CBE474
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBE414 push dword ptr [ebx+60858D01h]; ret	4_2_00CBE41C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC5FB pushad ; ret	4_2_00CBC5FC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC5A3 pushad ; ret	4_2_00CBC5A4
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC54B pushad ; ret	4_2_00CBC54C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC6AB pushad ; ret	4_2_00CBC6AC
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC653 pushad ; ret	4_2_00CBC654
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC7FB push dword ptr [ebx+60858D01h]; ret	4_2_00CBC80C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CBC7B3 pushad ; ret	4_2_00CBC7B4

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMDownloader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMResource.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Sss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMLauncher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\jsproxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\jsproxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420902.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\vistafunc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\InstallService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420903.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMDownloader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TMInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\Sss.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\vistafunc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarterXP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMResource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\InstallService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarterXP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TMLauncher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420905.dll	Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	File created: C:\Users\user~1\AppData\Local\Temp\TMSetup.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	File created: C:\Users\user~1\AppData\Local\Temp\TMInstaller.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\setup_status.txt	Jump to behavior

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Window found: window name: Progman			Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Window found: window name: Progman			Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting\TurboMeeting Start Meeting.lnk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting\TurboMeeting Uninstall.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

File deleted: c:\users\user\desktop\securiteinfo.com.trojan.siggen21.62491.4036.26173.exe

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E22DF3 IsIconic,		0_2_00E22DF3
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CD1882 IsIconic,		4_2_00CD1882

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E45F4A GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E45F4A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMDownloader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMResource.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Sss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\jsproxy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\jsproxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420902.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\InstallService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420903.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMDownloader.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\Sss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarterXP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMResource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\InstallService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarterXP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420905.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E14130 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,	0_2_00E14130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E63648 FindFirstFileExW,	0_2_00E63648
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E338A9 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	0_2_00E338A9
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB4100 FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,_strstr,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,FormatMessageW,WSAGetLastError,	4_2_00CB4100
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CB1F00 GetFileAttributesW,CreateDirectoryW,WSAGetLastError,FindFirstFileW,GetLastError,FormatMessageW,FindNextFileW,SetFileAttributesW,CopyFileW,GetLastError,FormatMessageW,FindNextFileW,FindClose,	4_2_00CB1F00
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC9155 SetLastError,FindFirstFileW,GetLastError,	4_2_00CC9155
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CC929D GetModuleHandleW,GetProcAddress,FindFirstFileW,	4_2_00CC929D
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CD9D08 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	4_2_00CD9D08
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CFDEE5 FindFirstFileExW,	4_2_00CFDEE5
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC354E6 FindFirstFileExW,	6_2_6EC354E6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E59389 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_00E59389

Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	File opened: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml	Jump to behavior

Source: TurboMeeting.exe, 00000006.00000002.3776866345.0000000002263000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA*k(
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476116809.000000000052B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476403815.00000000004BA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476524588.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`mS%SystemRoot%\system32\mswsock.dllC
Source: TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: VMware Screen Codec / VMware Video
Source: TurboMeeting.exe, 00000008.00000003.1522178362.0000000000688000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1521892122.000000000067D000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 0000000B.00000002.1555648025.0000000002267000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E18060 GetModuleFileNameW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,CreateFileW,OutputDebugStringW,SetFilePointer,CloseHandle,lstrcpyW,CreateFileW,CloseHandle,IsDebuggerPresent,

0_2_00E18060

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E1D692 OutputDebugStringA,GetLastError,

0_2_00E1D692

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E59389 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

0_2_00E59389

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E5FD22 mov eax, dword ptr fs:[00000030h]	0_2_00E5FD22
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4FDB8 mov eax, dword ptr fs:[00000030h]	0_2_00E4FDB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E5FD67 mov eax, dword ptr fs:[00000030h]	0_2_00E5FD67
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CEE5E5 mov eax, dword ptr fs:[00000030h]	4_2_00CEE5E5
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CFAF97 mov eax, dword ptr fs:[00000030h]	4_2_00CFAF97
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC33C4D mov eax, dword ptr fs:[00000030h]	6_2_6EC33C4D
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC34DFD mov eax, dword ptr fs:[00000030h]	6_2_6EC34DFD

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E633F8 GetProcessHeap,

0_2_00E633F8

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E0E5A0 SetUnhandledExceptionFilter,SetThreadPriority,WSAGetLastError,SetEvent,SetEvent,SetEvent,	0_2_00E0E5A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E01596 SetUnhandledExceptionFilter,#17,_wprintf,GetClassInfoW,WSAStartup,GetModuleFileNameW,_strlen,_strlen,GetModuleFileNameW,PathStripPathW,_strstr,_strstr,_strlen,LoadImageW,SendMessageW,PostMessageW,	0_2_00E01596
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E4A64E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E4A64E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E44B9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E44B9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E44D32 SetUnhandledExceptionFilter,	0_2_00E44D32
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: 0_2_00E43F3A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E43F3A
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CA1C30 SetUnhandledExceptionFilter,#17,_strstr,_strstr,	4_2_00CA1C30
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CDE3BD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00CDE3BD
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CE4A2E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00CE4A2E
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CDEFB3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00CDEFB3
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: 4_2_00CDF146 SetUnhandledExceptionFilter,	4_2_00CDF146
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC34E2E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6EC34E2E
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC32093 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6EC32093
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Code function: 6_2_6EC31D02 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6EC31D02

HIPS / PFW / Operating System Protection Evasion

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E082A0 GetTempPathW,Sleep,CopyFileW,ShellExecuteExW,GetLastError,GetFileAttributesW,

0_2_00E082A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E13D20 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetLastError,GlobalAlloc,GetTokenInformation,GetLastError,AllocateAndInitializeSid,GetLastError,EqualSid,FreeSid,GlobalFree,

0_2_00E13D20

Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GShell_TrayWndkernel32.dllDbIU@0{@P
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndkernel32.dllsClientName = %s, sDesktopDirectory = %s, sStartMenuDirectory = %s, sCurrentDirectory = %sc:\rhub2\code\pcutility\pcutility.cppPCUtility:RemoveLink()%s\%s.lnkRemove sLink: %sStart Session%s.lnkStart MeetingRemove start menu directory: %sSoftware\Microsoft\Windows\CurrentVersion\Uninstallfailed to remove registry, sKey = %s, error %d, %sPCUtility::RemoveLink()DeleteRegistryKey(%s)c:\ProgramData\Microsoft\Windows\Start Menu\Programs\%swSoftware\ClassesURL:%s StarterURL ProtocolsKey = %s, sURL = %s, sStarterFile = %s, sClientName = %sPCUtility:RegisterStarter()%s\shell\open\command"%s" %%1sCommandKey = %sSoftware\Microsoft\Internet Explorer\ProtocolExecute0WarnOnOpenRHUBMXmeetingvector<T> too longlist<T> too longMore than log instance, reported from MyLog::Initialize()Server.\RunServerLog%s%s.txt%s%s.bak%s%s.bak.bak%sServerMemoryLog.txt%sServerMemoryLog.bakrsp1024h%s.bak%s.bak.bak%sClientMemoryLog.txt%sClientMemoryLog.bakwfailed to create log file %s in MyLog::GetWorkingDirectory(), %dException happens in MyLog::Initialize()%d-%02d-%02d %02d:%02d:%02dafailed to create log file %s in MyLog::GetWorkingDirectory()%d
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308753930.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWndkernel32.dllDb
Source: TMLauncher.exe	Binary or memory string: Progman
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: ?sBuffer is NULL = %s, iWidth = %d, iHeight = %dc:\rhub2\gui5\virtualgui\pcimage.cppPCImage::ImageBufferToPNGimage.GetLastError() = %sProgmanMS-SDIaMS-SDIbWindows.UI.Core.CoreWindow>>>>> New call c:\rhub2\gui5\virtualgui\pcapplicationsharingmonitor.cppPCApplicationSharingMonitor::GetApplicationList!!! ERROR: GetMonitorByHandle() failed for m_vWindowHandle = %dPCApplicationSharingMonitor::ChangeSharingApplicationc:\rhub2\gui5\virtualgui\guivideo.cppenter: m_iCurrentWebCamStatus = %d, iControlCode = %dGUIVideo::StopWebCamStopWebCam, iControlCode == PRESENTER_ALL_STOP \|\| iControlCode == VIEWER_ALL_STOPGetWebCamNamesStopWebCamGUIVideo::WebCamStatusCallbackGUIVideo::WebCamStatusCallback.WebcamFailedToStartGUIVideo::WebCamStatusCallback.WebcamRefusedToStart1GUIVideo::WebCamStatusCallback.WebcamRefusedToStart2GUIVideo::WebCamStatusCallback.WebcamRefusedToStart3GUIVideo::WebCamStatusCallback.WebcamRefusedToStart4m_bWebcamStartedByUser = %sGUIVideo::SetWebcamStartedByUserm_bWebcamPreviewStartedByUser = %s
Source: SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: invalid headerno new downloadhProcessSnap == INVALID_HANDLE_VALUE: %d, %s!Process32First(): %d, %ssProcessName = %sUtility::TerminateProcessByNameImpersonateSelf(SecurityImpersonation) failed: %d, %sOpenThreadToken() failed: %d, %sSeDebugPrivilegeCRITICAL ISSUE: there is a dead loop. One TurboMeeting.exe cannot be removed!.exesCommandLine = %s, sWorkingDirectory = %sUtility::StartProcessUTF8ToUTF16 is OKsucceeded.iErrorCode = %d, Error = %ssCommandLine = %sopenShellExecute(): iHinstance = %d, iErrorCode = %d, Error = %s, sExecutable = %s, sParameter = %s%s\*...Utility::RemoveAllFileEnd of RemoveAllFile: path = %s, %s, error code: %d, error: %s-sCurrentFilePath = %sSYSTEMbSystemUser = true, sUserApplicationDirectory = %s\..\..\..user application directory does not existbSystemUser = false, sUserApplicationDirectory = %sfrom CSIDL_COMMON_DOCUMENTS, sUserApplicationDirectory = %ssStartMenuDirectory = %ssCurrentDirectory = %ssCurrentFile = %ssUserApplicationDirectory = %ssTempDirectory = %ssDesktopDirectory = %sbUserAppDirAccessable = truebUserAppDirAccessable = falsebSystemUser = truebSystemUser = falseProgmanSHELLDLL_DefViewSysListView32sClientName: %s,
Source: TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: </__OUTLOOK_INTEGRATION__><__OUTLOOK_INTEGRATION__>outlook plugin was installed.c:\rhub2\pcgui5\pcgui\mainfrm.cppMainFrame::OnUpdateSoftwarePREVIOUS_ENTRY_POINT_JOINimage\ApplicationIcon.icoTurboMeetingMainWindowClassenter.MainFrame::OnClose()Error = %dToolbarWindow32TrayNotifyWndPCGUI.CSelectMeetingType::HostMeeting.SystemTrayIconTurboMeetingShell_TrayWnd</__ExitDueToNoConnection__><__ExitDueToNoConnection__></__Message__><__Message__></__PollingResponse__><__PollingResponse__>Received Polling response Error while parsing the string UserId = %d, %sMainWindow::OnRespondPolling()</__PollingId__><__PollingId__>Received Polling response Error while parsing the string No Poll Id UserId = %d, %sReceived Polling response from user But We do not have polling Id %dReceived Polling response UserId = %d, %s</__Choice0__><__Choice0__></__Choice1__><__Choice1__></__Choice2__><__Choice2__></__Choice3__><__Choice3__></__Choice4__><__Choice4__></__PollingQuestion__><__PollingQuestion__>Error while parsing the Polling Question %sMainWindow::OnShowRequestPolling()Error while parsing the Polling id %s</__IsSingleResponse__><__IsSingleResponse__></__Question__><__Question__></__PollingResult__><__PollingResult__>Error while parsing the Polling results From User %d : %sMainWindow::OnShowPublishPolling()Error while parsing the Polling Id. No PollingId is present: From User %d : %s</__TotalResponse__><__TotalResponse__></__ResponseChoice0__><__ResponseChoice0__></__ResponseChoice1__><__ResponseChoice1__></__ResponseChoice2__><__ResponseChoice2__></__ResponseChoice3__><__ResponseChoice3__></__ResponseChoice4__><__ResponseChoice4__>PCGUI.MainWindow::MainWindow.ExitPCGUI.IDR_TRAY_MENU.ID_OPENPCGUI.IDD_ACTIVEGIALOG.IDC_STATIC_ACTIVE_LIST_HEADINGPCGUI.CScreenShare::UpdateAttendeeList.HostPCGUI.PLoginDialog::OnInitDialog.JoinPCGUI.MainWindow::MainWindow.AboutPCGUI.BUTTON.REMOVEOpenATTENDEE_CONTROL_DIALOG User Type: %d, iChangedUserType = %dMainFrame::UpdateGUIOnUserTypeHOST_CONTROL_DIALOG User Type: %dMainFrame::UpdateGUIOnUserType.HOST_BECOME_VIEWERMainFrame::UpdateGUIOnUserType.HOST_BECOME_PRESENTERATTENDEE_CONTROL_DIALOG User Type: %dMainFrame::UpdateGUIOnUserType.ATTENDEE_BECOME_VIEWERMainFrame::UpdateGUIOnUserType.ATTENDEE_BECOME_PRESENTERMainFrame::UpdateGUIOnUserType.ATTENDEE_BECOME_HOSTMainFrame::UpdateGUIOnUserType.HOST_BECOME_ATTENDEEPCGUI.PhysicalGUI::ProcessMessage.WantControllerPermissionPCGUI.PhysicalGUI::ProcessMessage.RequestControllerPCGUI.PhysicalGUI::ProcessMessage.WantPresenterPermissionPCGUI.PhysicalGUI::ProcessMessage.RequestPresenteriCameraDisplayFormat = %d, iUserType = %d m_bVideoDetached = %d, m_bNoWebcamAvailable = %dMainFrame::OnUpdateWindowPositionTurboMeeting.exeCMD_BYPASS_PRESENCE: sCommand = %sMainFrame::ExecuteCommand()Failed CMD_BYPASS_PRESENCE. sCommand = %sPCGUI.IDD_ASSIGN_PRESENTER_DIALOG.WindowTextPCApplicationSharingMonitor::GetApplicationList.StayWithHDPCGUI.PControlPanelWnd::CreateButtonControls.BecomePresenterPCGUI.PSliderDialo

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E44DDF cpuid

0_2_00E44DDF

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoEx,GetLocaleInfoW,	0_2_00E2F81B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00E66014
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,	0_2_00E66264
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00E6638D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,	0_2_00E66494
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00E66567
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: EnumSystemLocalesW,	0_2_00E5D13C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: GetLocaleInfoW,	0_2_00E5D78F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00E65C29
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: EnumSystemLocalesW,	0_2_00E65EEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: EnumSystemLocalesW,	0_2_00E65EA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Code function: EnumSystemLocalesW,	0_2_00E65F87
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoEx,GetLocaleInfoW,	4_2_00CD5FAF
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_00D0051B
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: EnumSystemLocalesW,	4_2_00D007BD
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: EnumSystemLocalesW,	4_2_00D008A3
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: EnumSystemLocalesW,	4_2_00D00808
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_00D0092E
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,	4_2_00D00B81
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00D00CA7
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,	4_2_00D00DAD
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_00D00E7C
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: EnumSystemLocalesW,	4_2_00CF7731
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Code function: GetLocaleInfoW,	4_2_00CF7C53

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMSetup.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tm_starter_dir\rsp1024hcmd.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TMInstaller.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\rsp1024h.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MagDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SVEDetector.txt VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E12320 GetSystemTime,

0_2_00E12320

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E13110 GetModuleFileNameW,GetLongPathNameW,GetUserNameW,SHGetFolderPathW,_strstr,_strstr,SHGetFolderPathW,SHGetFolderPathW,GetTempPathW,GetLongPathNameW,SHGetSpecialFolderPathW,SHGetFolderPathW,GetLongPathNameW,GetLongPathNameW,SHGetFolderPathW,GetLongPathNameW,

0_2_00E13110

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E62425 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00E62425

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Code function: 0_2_00E172E0 GetVersionExW,GetVersionExW,GetVersionExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,

0_2_00E172E0

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

Code function: 4_2_00CA1840 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

4_2_00CA1840

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Service Execution	1 DLL Search Order Hijacking	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	11 Windows Service	1 DLL Search Order Hijacking	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 DLL Side-Loading	NTDS	34 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Windows Service	1 DLL Search Order Hijacking	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 File Deletion	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	5%	ReversingLabs
SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe	8%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\tm_starter_dir\InstallService.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\InstallService.exe	2%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarter.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarter.exe	3%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarterXP.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarterXP.exe	3%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tm_starter_dir\Sss.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\Sss.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMDownloader.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMDownloader.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMInstaller.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMInstaller.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMRemover.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMRemover.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMResource.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMResource.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMService.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tm_starter_dir\dbghelp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\dbghelp.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tm_starter_dir\jsproxy.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\jsproxy.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tm_starter_dir\vistafunc.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tm_starter_dir\vistafunc.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe	3%	Virustotal	Browse
C:\Users\user\AppData\Roaming\TurboMeeting\TMInstaller.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TurboMeeting\TMInstaller.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\TurboMeeting\TMLauncher.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TurboMeeting\TMLauncher.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420902.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420902.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420903.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420903.dll	0%	Virustotal	Browse

Source	Detection	Scanner	Label
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
support.lockwoodbroadcast.com	8.18.62.6	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://support.lockwoodbroadcast.com/as/wapi/get_client_size?client_type=0&xml_format=Y&client=pc&myrand11262017=fsOpyNl7RRDmyVQ8cYMYTocPl4347283&rdm=1713420883	false		high
https://support.lockwoodbroadcast.com/as/wapi/get_client?client_type=0&client=pc&myrand11262017=1s4z4AVItfvg3fyyYjjDdD6L2c347284&rdm=1713420884	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.rhubcom.comRHUB	SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000000.1422829262.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	false		unknown
http://%s:%d/MeetingRegistration/user/update-meeting-info.php?sp=%s	TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	false		low
http://ocsp.sectigo.com0	SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://support.lockwoodbroadcast.com/as/wapi/get_client_size?client_type=0&xml_format=Y&client=pc&m	SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476645003.0000000000513000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.lockwoodbroadcast.com/as/wapi/get_client?client_type=0&client=pc&myrand11262017=1s4z	SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1477353524.00000000044D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476116809.0000000000522000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476116809.000000000052B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476684834.0000000000522000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rhubcom.com.T	TurboMeeting.exe, 00000006.00000000.1496181175.0000000001A8A000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1525335027.0000000001A8A000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1555133297.0000000001A8A000.00000002.00000001.01000000.00000009.sdmp	false		unknown
http://ocsp.thawte.com0	TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to&su=https://compose.mail.yahoo.com/?To=&Subj=(	TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	false		high
http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01	TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	false		high
http://%s/forumpost.php?euid=%s&cuid=%s&first_name=%s&last_name=%s&from_server_ip=%s&timer_id=%sPMai	TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	false		low
http://%s%shttp://%shttps://%s%shttps://%shttp://%s:%d%shttp://%s:%drhubcom.comgomeetnow.com.turbome	SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1309749293.00000000022EF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000000.1308753930.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmp, TMLauncher.exe, 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000000.1422829262.0000000000D10000.00000002.00000001.01000000.00000008.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1469995904.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	false		low
https://www.google.com/calendar/render?action=TEMPLATE&text=	TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	false		high
http://%s%shttps://%s%shttp://%s:%d%shttp://%s:%drhubcom.comgomeetnow.com.turbomeet.comgosupportnow.	TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	false		low
https://support.lockwoodbroadcast.com/	SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000002.1476645003.00000000004E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/draft-ietf-avtext-framemarking-07	TurboMeeting.exe, 00000006.00000000.1494408085.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.0000000001802000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.0000000001802000.00000002.00000001.01000000.00000009.sdmp	false		high
http://%s/forumpost.php?euid=%s&cuid=%s&first_name=%s&last_name=%s&from_server_ip=%s&timer_id=%s	TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	false		low
http://%s:%d/MeetingRegistration/user/update-meeting-info.php?sp=%ssURL	TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	false		low
http://crl.thawte.com/ThawteTimestampingCA.crl0	TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://streams.videolan.org/upload/	TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	false		high
http://crl.thawte.com/ThawtePCA.crl0	TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rhubcom.	TurboMeeting.exe, 0000000B.00000002.1573799950.000000001089C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.rhubcom.com	TurboMeeting.exe, 0000000B.00000002.1573799950.0000000010859000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rhubcom.com0	TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sectigo.com/CPS0C	SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, 00000000.00000003.1476083142.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1491770470.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471090996.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471056851.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000002.1500863372.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1456768403.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471246256.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1470318717.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1475416215.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471373053.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, TMLauncher.exe, 00000004.00000003.1471840687.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000006.00000003.1499922106.00000000022EC000.00000004.00000020.00020000.00000000.sdmp, TurboMeeting.exe, 00000008.00000003.1507007095.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://compose.mail.yahoo.com/?To=&Subj=	TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	false		high
http://https://https://%shttp://%sPCGUI.CInviteAttendee_::OnInitDialog.JoinMessage2PCGUI.CInviteAtte	TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	false		low
https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to&su=	TurboMeeting.exe, 00000006.00000000.1494408085.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000006.00000002.3776134929.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000002.1524665016.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 00000008.00000000.1504992526.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000000.1530054819.00000000016C2000.00000002.00000001.01000000.00000009.sdmp, TurboMeeting.exe, 0000000B.00000002.1554384401.00000000016C2000.00000002.00000001.01000000.00000009.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.18.62.6	support.lockwoodbroadcast.com	United States		32662	GMCRUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427767
Start date and time:	2024-04-18 06:24:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
Detection:	SUS
Classification:	sus32.rans.winEXE@9/98@2/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 98% Number of executed functions: 121 Number of non-executed functions: 232
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target TurboMeeting.exe, PID 7452 because there are no executed function
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:15:40	API Interceptor	13628329x Sleep call for process: TurboMeeting.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GMCRUS	http://earnandexcel.com	Get hash	malicious	Unknown	Browse	8.18.47.7
	http://bckonline.com/2018/12/21/orlando-brown-tells-dr-phil-that-he-has-four-kids-and-the-2-year-old-is-still-in-the-belly-video/	Get hash	malicious	Unknown	Browse	8.18.47.7
	https://earnandexcel.com/blog/how-to-expand-columns-in-excel-multiple-tricks-to-resize-columns-rows/	Get hash	malicious	Unknown	Browse	8.18.47.7
	http://winning.com.de/4LcLKX1386KvIx6mvpavrrenj4MMBOXAWOTDNDYZC32415IMVO1140976R30	Get hash	malicious	Unknown	Browse	8.18.47.7
	http://evvitteponn.info/	Get hash	malicious	HTMLPhisher	Browse	8.18.47.7
	http://zarabidarix.xyz/4kKUDf2271ibnX494fplpivknze26JVIISAKNWCQFBYE13955JAYA338314o10	Get hash	malicious	Unknown	Browse	8.18.47.7
	https://xsetlp3sattty7yhmls.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	8.18.47.7
	https://attwebupdate.w3spaces.com/	Get hash	malicious	Unknown	Browse	8.18.47.7
	https://www.bsnews.it/2015/01/23/le-citta-piu-brutte-d-italia-brescia-al-nono-posto-in-classifica	Get hash	malicious	Unknown	Browse	8.18.47.7
	https://ioa.pages.dev/account/js-reporting/?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=%2Faccount%2Fchallenge%2FpasswordIP:	Get hash	malicious	HTMLPhisher	Browse	8.18.47.7

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	u2.bat	Get hash	malicious	Bazar Loader, Qbot	Browse	8.18.62.6
	SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Get hash	malicious	Phonk Miner, PureLog Stealer, Vidar	Browse	8.18.62.6
	file.exe	Get hash	malicious	Vidar	Browse	8.18.62.6
	FACTURA2402616 - BP.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	8.18.62.6
	#U03a3#U03a5#U039c#U0392#U039f#U039b#U0391#U0399#U039f DEV8759-pdf.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	8.18.62.6
	#U03a3#U03a5#U039c#U0392#U039f#U039b#U0391#U0399#U039f DEV8759-pdf.exe	Get hash	malicious	GuLoader	Browse	8.18.62.6
	file.exe	Get hash	malicious	Vidar	Browse	8.18.62.6
	S#U00d6ZLE#U015eME DEV8759 - pdf.exe	Get hash	malicious	GuLoader	Browse	8.18.62.6
	CONTRACTUL DEV8759-pdf.exe	Get hash	malicious	GuLoader	Browse	8.18.62.6
	1704202412475.EXE.exe	Get hash	malicious	FormBook, GuLoader	Browse	8.18.62.6

Process:	C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
File Type:	ASCII text, with very long lines (320), with CRLF, CR line terminators
Category:	modified
Size (bytes):	6985
Entropy (8bit):	5.269451008958541
Encrypted:	false
SSDEEP:	192:83hauK3jd1jWTuv3D9m51I3Y3ahyrMOM3f:d9jXJDgrMT
MD5:	DE0E9877AD98BB909A1BEA6B793E8085
SHA1:	65CB35A68E64B365D93849F1A4EA49DC74B1DBC4
SHA-256:	4DD69D08E3E95E9A2B492CA57695537BA31B563E61E2F2718967A6F9D15E88EE
SHA-512:	3142F8FF343334BB58C162C3C2626B2D5D7DBBDB6D55681D41ACAD9D687C95361FCD763CB6062FBAE5B6B07A6C4492A27E90049CDA524A37106D263DFEB579DA
Malicious:	false
Reputation:	low
Preview:	2024-04-18 08:15:02..Function: ClientInterface::Initialize..Line: 748..Message: Log is initialized: OS = Windows Windows 10, MU: 3072, m_iTimeZoneOffSet: 1, #CPU: 4, 64Bit: Y....2024-04-18 08:15:03..Function: ClientInterface::Initialize..Line: 769..Message: sSystemData = ..Computer: 358075..Computer IP: 192.168.2.7..OS: Windows 10 Professional (Build 9200)..IE: 9..IE Minor: 0..IE Build: 9....2024-04-18 08:15:03..Function: Client::Client..Line: 153..Message: m_sCurrentDirectory = C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting..m_sTempDirectory=C:\Users\user\AppData\Local\Temp\....2024-04-18 08:15:03..Function: Client::Client..Line: 212..Message: m_sClientVersion = 3.0.639....2024-04-18 08:15:03..Function: ClientInterface::Initialize..Line: 837..Message: g_uIdentity.m_sClientName = TurboMeeting....2024-04-18 08:15:03..Function: MyConfigure::DoInitialize..Line: 1942..Message: bNeedToBuildConfgureFileFromScratch = N....2024-04-18 08:15:03..Function: ClientInterface::Ini

C:\Users\user\AppData\Local\Temp\PCClient.zip

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	data
Category:	dropped
Size (bytes):	10921003
Entropy (8bit):	7.998395236086056
Encrypted:	true
SSDEEP:	196608:+8Qn9/JQ7jUMZDdu97ySHxCIS5E0UxK8EVQOSF0AIKTNhLa0uHumzHRi:dQ9R6PZDiyuCx2089EImKXN9mzxi
MD5:	9BA492917815BBBFED9D8E6A0F77481B
SHA1:	FD7827C336E58352F93B541F747F1681E5A761DF
SHA-256:	3245EEC094B82600E78767AA0AE848596F77CFDF1B544590396B3CDDD370AD22
SHA-512:	F3D0921E31669CAB1153D7DEB14C9E2A5776CAD47367AA29B03425E85B29BE1838A288CF664C92502A041901CB23282FDCAAB7DC511CE06B807C50A7E2ABE568
Malicious:	false
Reputation:	low
Preview:	....ClientDatabase.......x..Xak.@..?.]....t........V.P....Z.....0.M..?8..7.......%M.\.&U.......s.{.=/\......e....B......<. .?.D.dB...#..}....I..}..&....%b.-..i...%G....7 _].`K.2.......z......p...c.......(..2.T...$C.!.Vt..c../.MU.WTT..n........kP.n`@...R..'...j.......R.K.i...0.`d..i.&..21.)_.K....?oN..0.2".n....F.....u....fi.B4eh[..b...c.a.....4..E1.tkm.-.:.}N..Lc:..X..eu....F.RK.R.e..,.mCs....2j....Q..N....F..BshdH.v.,..1.y...\|.$C...(.,...Y4...[....`Wz..%.A.E.P.W5O.n.Tk}.nu.=.F.Q{H.Q##.d..c......_.>g.i....X.lfW..+.v....Q..J..\|E%.j.0#.{{....e.5..D.k.St..K..d...D.$+-m.\|/.)5.=g...N%.??.sp.&x.sp....?,..H_..~..]K........N._.N..G.;.'...,+.....}/.#B.....q}[L2.F.R............I.........#.PT....dbghelp.dll..u....x........{..e.F.;.AQ....QP.^.D. .d.]`q...E.j.z.........^..k.........Q...o2..3.3....>..yo......)999.$3c..DD....m..1......."!w..R<.au....>in].j.Z8gQ.\|..j.....Zu...j..u......5.}*J{.1.?..g}...'.]f;.....K.~]j......$..l.....A:.+H.C......x.y5.

C:\Users\user\AppData\Local\Temp\SVEDetector.txt

Download File

Process:	C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
File Type:	ASCII text, with very long lines (320), with CRLF, CR line terminators
Category:	modified
Size (bytes):	7407
Entropy (8bit):	5.273339854691407
Encrypted:	false
SSDEEP:	192:HtXaSQ3xT1/WBMvtx9k5fItyUGXyZnSRyH:ADxhNvNZn7
MD5:	16523C11ED63772458D93F26A7B5E431
SHA1:	76C6966E61F749144F5EAA35EE0C31708EDFD4ED
SHA-256:	2FC44F3A9248FAEE527D3C5440CFAE5FB053D2A79A25664F5CC6E14CDD59034C
SHA-512:	F80B1EA0834ACED4C990DDE071CA8C68C2D3F692790DFBD0C948A7FBB0038289088CE8E4E52B86E79964FA88034D9E47AB7D60FD1AE997B0AD900D69B87B7D1D
Malicious:	false
Reputation:	low
Preview:	2024-04-18 08:15:05..Function: ClientInterface::Initialize..Line: 748..Message: Log is initialized: OS = Windows Windows 10, MU: 3072, m_iTimeZoneOffSet: 1, #CPU: 4, 64Bit: Y....2024-04-18 08:15:05..Function: ClientInterface::Initialize..Line: 769..Message: sSystemData = ..Computer: 358075..Computer IP: 192.168.2.7..OS: Windows 10 Professional (Build 9200)..IE: 9..IE Minor: 0..IE Build: 9....2024-04-18 08:15:05..Function: Client::Client..Line: 153..Message: m_sCurrentDirectory = C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting..m_sTempDirectory=C:\Users\user\AppData\Local\Temp\....2024-04-18 08:15:05..Function: Client::Client..Line: 212..Message: m_sClientVersion = 3.0.639....2024-04-18 08:15:05..Function: ClientInterface::Initialize..Line: 837..Message: g_uIdentity.m_sClientName = TurboMeeting....2024-04-18 08:15:05..Function: MyConfigure::DoInitialize..Line: 1942..Message: bNeedToBuildConfgureFileFromScratch = N....2024-04-18 08:15:05..Function: ClientInterface::Ini

C:\Users\user\AppData\Local\Temp\TMInstaller.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	10550
Entropy (8bit):	5.302174498209266
Encrypted:	false
SSDEEP:	192:5coGqgT0/LzUTGeSd67kGfHLro9xA4LisS12ytFzuBS26L19bjXO:SFUEKeggSbJyLzzzO
MD5:	5C6296E5BE4F76BCFE6EA1996AA9E7A0
SHA1:	4D6ADBE26783828A97616B3B0C78B5A0647228A1
SHA-256:	29C251040483EB6AC6EA593B416A24A1FF0C53788ABE3DCD8F6CCE948CABCCB1
SHA-512:	A46CF61692AE1E684A0A0E5B51632E9AB156786CDCEECDA4CA63DB1F5A77DF190E6E4D41171AEF625E2A3BEB68906058394B2C81DAE3399A1ACA6147B16CF215
Malicious:	false
Reputation:	low
Preview:	2024-04-18 06:25:31..Function: Utility::Initialize()..Line: 244..Message: AfxGetApp()->m_lpCmdLine = ..sCurrentDirectory = ....2024-04-18 06:25:31..Function: PCInstaller:Initialize()..Line: 286..Message: m_iInstallType = INSTALL_TYPE_INSTALL....2024-04-18 06:25:31..Function: Utility::GetUserDirectory()..Line: 304..Message: m_uIdentity.m_sClientName = ....2024-04-18 06:25:31..Function: Utility::GetUserDirectory()..Line: 4045..Message: sCurrentFilePath = C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe....2024-04-18 06:25:31..Function: Utility::GetUserDirectory()..Line: 4099..Message: bSystemUser = false, sUserApplicationDirectory = C:\Users\user\AppData\Roaming....2024-04-18 06:25:31..Function: Utility::GetUserDirectory()..Line: 4174..Message: sStartMenuDirectory = C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting....2024-04-18 06:25:31..Function: Utility::GetUserDirectory()..Line: 4176..Message: sCurrentDirectory = C:\Users\fr

C:\Users\user\AppData\Local\Temp\TMSetup.txt

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	10999
Entropy (8bit):	5.354822431521058
Encrypted:	false
SSDEEP:	192:61r10a1GITgCmFajw9ldycOX04oiwgwApdFwh/LYsICTBqX:ZYy3rC
MD5:	14F345AD20B4141780311E2C6A2B463A
SHA1:	825F9A9ED40A0F3AB3881CE1341828D8F5D7CB5C
SHA-256:	191D90DBAD3E31A8527CD59801DA0CAC5BF2EE59548FD1AAFD3BBB337925AFA8
SHA-512:	3FF227BD1E5A822B1949D63C8D38497A0A6CE074092BB0BBA0106C5FA9F34F63E2F814BFF155A27339D29510F67D149E5F50E676722A8E58B4C26ADBFED57A04
Malicious:	false
Reputation:	low
Preview:	2024-04-18 08:14:43..Function: PCSetupApp::InitInstance()..Line: 143..Message: m_lpCmdLine = ....2024-04-18 08:14:43..Function: PCSetupApp::InitInstance()..Line: 159..Message: sCurrentFilePath = C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe....2024-04-18 08:14:43..Function: PCSetupApp::InitInstance()..Line: 181..Message: Valid sSetting....2024-04-18 08:14:43..Function: Utility::GetUserDirectory()..Line: 4045..Message: sCurrentFilePath = C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe....2024-04-18 08:14:43..Function: Utility::GetUserDirectory()..Line: 4099..Message: bSystemUser = false, sUserApplicationDirectory = C:\Users\user\AppData\Roaming....2024-04-18 08:14:43..Function: Utility::GetUserDirectory()..Line: 4174..Message: sStartMenuDirectory = C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting....2024-04-18 08:14:43..Function: Utility::GetUserDirectory()..Line: 4176..Message:

C:\Users\user\AppData\Local\Temp\rsp1024h.txt

Download File

Process:	C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
File Type:	ASCII text, with very long lines (459), with CRLF line terminators
Category:	modified
Size (bytes):	15164
Entropy (8bit):	5.342006981812532
Encrypted:	false
SSDEEP:	192:8OkaPD3UI1GaXvOK9P50IO52iUk/Rb8XrUmbl9lGQiO9k9H/eC2aCkWID:LTUm/zylklnG7Su8ID
MD5:	DB805C29A0454736F6717658BBC8F2EE
SHA1:	1A193DEBDD5C88E873D9C6BF4F0A19F413FBF42B
SHA-256:	8A8B02474BD0A33922C424A3DE7A05F3F3339C78155056D17D1A6233828E2FBB
SHA-512:	F30AF0533F5885FC4C79396A9BE926097D437C8BC089EF61E63C814A4EE83F518C5D8E8EBD1BC1A6B34E98CCA5FD17849A485D83BA3359666DD6884B8EFA3946
Malicious:	false
Reputation:	low
Preview:	2024-04-18 08:15:02..Function: ClientInterface::Initialize..Line: 748..Message: Log is initialized: OS = Windows Windows 10, MU: 3072, m_iTimeZoneOffSet: 1, #CPU: 4, 64Bit: Y....2024-04-18 08:15:02..Function: ClientInterface::Initialize..Line: 769..Message: sSystemData = ..Computer: 358075..Computer IP: 192.168.2.7..OS: Windows 10 Professional (Build 9200)..IE: 9..IE Minor: 0..IE Build: 9....2024-04-18 08:15:02..Function: Client::Client..Line: 153..Message: m_sCurrentDirectory = C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting..m_sTempDirectory=C:\Users\user\AppData\Local\Temp\....2024-04-18 08:15:02..Function: Client::Client..Line: 212..Message: m_sClientVersion = 3.0.639....2024-04-18 08:15:02..Function: ClientInterface::Initialize..Line: 837..Message: g_uIdentity.m_sClientName = TurboMeeting....2024-04-18 08:15:02..Function: MyConfigure::DoInitialize..Line: 1942..Message: bNeedToBuildConfgureFileFromScratch = Y....2024-04-18 08:15:02..Function: MyConfigure::DoIniti

C:\Users\user\AppData\Local\Temp\tm_starter_dir\ClientDatabase

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	data
Category:	dropped
Size (bytes):	9216
Entropy (8bit):	2.198346257931369
Encrypted:	false
SSDEEP:	24:F+vdfet1NDbTBR2cXovYePne99KLzaRYJLHYLTYLSC3vDCeKLvd/9ziqeKLjpztl:ydfK2NY2IkfmrCp8YI3
MD5:	180D45BE65098DA1E2D0F72795581C5D
SHA1:	B4B90F594BF1B1A0603D28A6342CC2052BB010C8
SHA-256:	C8A22EE90C0E0DB5877FD047EA957452D827A077C5A823C2FF6A0A3E6D421A52
SHA-512:	F65A2667A5DBAEE134C7B744E60B9A442A72AE6EAD97501180DA0E1B058FE5F33864D9B91DAF2057C205DB46276AD4B15D8F8D4AF131C0C9B1A2EB5A90E32B01
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	GEX}`q4r.....T44.....@ .........................................................................9......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\InstallService.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	233720
Entropy (8bit):	6.298697976196144
Encrypted:	false
SSDEEP:	6144:KSJ0P6jSLEpJ1RZlR4lGitKd50fAOhso6iZGD:66jSLoJp4lGi4jID6iZA
MD5:	CA2C90A15E0B8701A71B28E875865F35
SHA1:	319C1961F05D1D6C31984D141B91B870DC0B1EFA
SHA-256:	7AEECEDC2D37BD3AD549851121CCFED9B9D62285DB474735998C8EA741DCA867
SHA-512:	AC3CB38535A0D48B5EA14EC89868FDF9B5EEA0BBC51ED11D59FF83FC43A5286AA67E7F5896434200CB0C615270DC6A1BA4F901C0CFF6A79FA6A8B9D913872F31
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4% Antivirus: Virustotal, Detection: 2%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k.~8.~8.~8..}9.~8..{9p.~8..z9.~8..}9.~8..{9.~8..z9.~8...8.~8..8u.~8_.{9..~8_.8.~8_.\|9.~8Rich.~8........................PE..L.....1`.............................E............@.................................5.....@.................................D...x....................Z...6......@...0...T...............................@............................................text............................... ..`.rdata..............................@..@.data............b..................@..._RDATA.. ....p......................@..@.rsrc................8..............@..@.reloc..@........ ...:..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarter.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	786984
Entropy (8bit):	6.461738695456927
Encrypted:	false
SSDEEP:	12288:8Np51L0Z775xs2qnf8PtVXJSLKlK4pKJe5d0nocsxa3k48118t/HY4EErtkTd2hM:6JL0Z/mnet60yocssl8gY4hkTd2hCM+
MD5:	C28568A1EB37159185590BCCF20F9866
SHA1:	DFE01651DA872470E686C2BE78400C80C98FA450
SHA-256:	ED500E8A0B1260F47EF142B06CF08AF8719D003F227C5EF48DD0166C6456D941
SHA-512:	476324F2E9BA91053145A77D36D26020318EE12F336D056861D9556E989771D134FF65BFA18F5090419DA131B082A711635C0E37592551AF25E0BD0575C14F9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 3%, Browse
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......I.A.../.../..././.,..././..././.+.../....../....../....../._.+.../._.,.../.<..)./._..../...+.../....../......./...*.../....../......./...-.../.Rich../.........PE..L.....{_.................z..........3;............@......................................@.....................................@....P..0...............(....@......[..T....................\......H\..@...............`............................text...!x.......z.................. ..`.rdata...s.......t...~..............@..@.data...0,..........................@..._RDATA.. ....@.......t..............@..@.rsrc...0....P.......~..............@..@.reloc......@.......b..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarterXP.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	785584
Entropy (8bit):	6.4611685242844645
Encrypted:	false
SSDEEP:	12288:YNp51L0Z775xs2qnf8PtVXJSLKlK4pKJe5d0nocsxa3k48118t/HY4EErtkTd2hf:eJL0Z/mnet60yocssl8gY4hkTd2hCMl
MD5:	8CE1DC1E87F955F2529CA7A796AD8820
SHA1:	9A51C28787D5AD0363DC33FCBCEDD3995F855482
SHA-256:	27773D79B0AE6A473909434BF72642C2098B649F4033139BC06C274ADA88E3BE
SHA-512:	D40A82436183802F31E492D2C14CA4B3559EDC24975DD937BBF6A7588F6595C24DD67B417CD109AAEED49DFBA6319AA575047386BC08A859D5DBE8FD7DF75941
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 3%, Browse
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......I.A.../.../..././.,..././..././.+.../....../....../....../._.+.../._.,.../.<..)./._..../...+.../....../......./...*.../....../......./...-.../.Rich../.........PE..L.....{_.................z..........3;............@.................................n.....@.....................................@....P..0....................@......[..T....................\......H\..@...............`............................text...!x.......z.................. ..`.rdata...s.......t...~..............@..@.data...0,..........................@..._RDATA.. ....@.......t..............@..@.rsrc...0....P.......~..............@..@.reloc......@.......b..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\Sss.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	89192
Entropy (8bit):	6.575566498006661
Encrypted:	false
SSDEEP:	1536:3D+xbSVMbhA4oCpgk5czAwxNmO5fkHy3hG:3DavbjslxNmO5fE
MD5:	E0861D6F2836555E2C1E5F223234A9F1
SHA1:	C2F9C1B8EB85722B5EF83E080C78D5E378CB5210
SHA-256:	84F0B260E146D07F0BE5A0C61CABCAEFE5288850A707F073B5EBC8FAAEC408C5
SHA-512:	04F7D3943E49A54D45ABE55EE93DE1772A5C1183A994DB521A9234C0B21D0211CADDB2968B2B3C4E922E50DB328CC4402043FF30B3E9CE5A69A18F6B31347C46
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.d.+...+...+....4w.;....4d......4g.O....4q.&...+...Z....4x.(....4p.....4r....Rich+...........................PE..L...@s.O.....................P......o.............@..........................0.......f............................................... ..............0'..85..............................................@............................................text............................... ..`.rdata..v,.......0..................@..@.data...\|,..........................@....rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMDownloader.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	380152
Entropy (8bit):	6.523803406973679
Encrypted:	false
SSDEEP:	6144:2D5CTBgdxPf1wwbe0HZKfjhsjYwAwzxOl4GYlOhwK09Y+066zNvGC5GJAOktkTBZ:2MTBgdxXKwq0HZKfjhQYwz2iY+azNeCw
MD5:	BA7323CFA2E6B7A11E61E5C8621141CF
SHA1:	BB49041C3257CE0A159C3AA49D0FCFF093A24921
SHA-256:	0C4F996D1AA194951D756DE74514F7A1D03F68270E33F3C7E7B5DCF262885166
SHA-512:	19ABBD2F944BDCFB1770B31537206AD3610BCFE566CA25E23E172C14F17575E04A13C10CD08B8FB202515D43237504A341046E9EB7D34410B07F370DE282BE9A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............iI..iI..iI..jH..iI..lHS.iI..mH..iI.-.I..iI..jH..iI..lH..iI..mH..iI0.mH..iI..hIL.iI...I..iI0.lH..iI0.I..iI0.kH..iIRich..iI........PE..L.....Z`..........................................@..........................`...........@.................................D........ ...................6...0.../......T...............................@...............8............................text............................... ..`.rdata..pV.......X..................@..@.data............h..................@..._RDATA.. ............Z..............@..@.rsrc........ .......d..............@..@.reloc.../...0...0...f..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMInstaller.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	688888
Entropy (8bit):	6.576995195781194
Encrypted:	false
SSDEEP:	12288:UUYb14nVcVw3h4sj2w2QE2uSBlK4bLgyQVW8Xgp1IW6ce+dFqtkTHz+Lqh/:UYnVcV9Y2wFBJF8Xgpm+e+dwkTTJh/
MD5:	8FCA72C59D3A9AA6EDA33C64DAA0296D
SHA1:	5229D88A9E650430719DC5317F8F7601117EF637
SHA-256:	11B64793473C88AA0EF2F9BDE703E9494495029D416E76D954FD3F044EF8FC10
SHA-512:	7D898F74D292C23D8F38A29C2C3D8C2E8F6D610C2CCA5B89B5273222A6E31DB078C266A25C4072533DB4F907BA4F3FC700E020A4E7EBD4FBB4D4EA13D0FAA0A3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........[^...^...^...J...N...J.......J...H......._...W.L._.......}.......B...o.5.N..........W.K.T.......W...^......W.[.........O.....7._......._...Rich^...........PE..L.....Z`.....................Z......x.............@..........................p......}.....@..................................N..,....................L...6.......l......T...............................@............................................text...3........................... ..`.rdata..8o.......p..................@..@.data....n...p...\|...V..............@..._RDATA.. ...........................@..@.rsrc...............................@..@.reloc...l.......n..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	688888
Entropy (8bit):	6.576995195781194
Encrypted:	false
SSDEEP:	12288:UUYb14nVcVw3h4sj2w2QE2uSBlK4bLgyQVW8Xgp1IW6ce+dFqtkTHz+Lqh/:UYnVcV9Y2wFBJF8Xgpm+e+dwkTTJh/
MD5:	8FCA72C59D3A9AA6EDA33C64DAA0296D
SHA1:	5229D88A9E650430719DC5317F8F7601117EF637
SHA-256:	11B64793473C88AA0EF2F9BDE703E9494495029D416E76D954FD3F044EF8FC10
SHA-512:	7D898F74D292C23D8F38A29C2C3D8C2E8F6D610C2CCA5B89B5273222A6E31DB078C266A25C4072533DB4F907BA4F3FC700E020A4E7EBD4FBB4D4EA13D0FAA0A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........[^...^...^...J...N...J.......J...H......._...W.L._.......}.......B...o.5.N..........W.K.T.......W...^......W.[.........O.....7._......._...Rich^...........PE..L.....Z`.....................Z......x.............@..........................p......}.....@..................................N..,....................L...6.......l......T...............................@............................................text...3........................... ..`.rdata..8o.......p..................@..@.data....n...p...\|...V..............@..._RDATA.. ...........................@..@.rsrc...............................@..@.reloc...l.......n..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMRemover.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	228600
Entropy (8bit):	6.309001563878647
Encrypted:	false
SSDEEP:	6144:MQyEgGJDxpO0ZTXmcANoEEZwBXcAOBXCs9:MQiGJDxpO0ZTXrWcPCm
MD5:	F7A57D58DE9E992509F28477D85EA442
SHA1:	48747FE9CA9D804110462FBEBCC13F4519230443
SHA-256:	B660B3F98E2C45770AF8421E75D7CF7AF71BD7AF8A30EFD4091E75F4D664B2B3
SHA-512:	C12118B16E606CAC969B30462EB0AF501AC7E53A1DFC6BC0635AE3E6C62AA659085DCF19E499F874141CCEBC15245246BCBFA7BA15ECDF5148884A6599B737C8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*.E~D.E~D.E~D.Q.G.J~D.Q.A.~D.Q.@.S~D...G._~D...A.~~D...@.g~D.E~E..~D.L...J~D...A.M~D.....D~D.E~..D~D...F.D~D.RichE~D.........................PE..L.....Z`.............................E............@.......................................@.....................................d....`..p............F...6...p..,...@...T...............................@............................................text............................... ..`.rdata..d...........................@..@.data....y.......d..................@..._RDATA.. ....P......................@..@.rsrc...p....`......."..............@..@.reloc..,....p.......(..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMResource.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	99064
Entropy (8bit):	6.4536950605419445
Encrypted:	false
SSDEEP:	1536:6SlMHB4rjEkU0TzZsURSuu8rsWlcdbbr4ndQeR4Xj3h8bS:6xerjU0TzZQlfbAJDbS
MD5:	DD12C30E38FD57D25CD75B07E679330B
SHA1:	00C725161356A75121A393F8615641DA10EDA4C6
SHA-256:	0C168E4E9AEA222BBCB4EEC3E61FA72B528F7276492FA4BACAE029241B3808EB
SHA-512:	8555D52DEA80903B5333E94697A0A26DBC0A0FAEF5E833C030C1D45D4BD300219193D7124A4B7E8B8E9FEFDC862B1B8433610AC703149ADD39BFBC0B49264160
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w%...K...K...K..}H...K..}N.n.K..}O...K..~N...K..~O...K..~H...K..n...K...J...K.C.N...K.C.K...K.C.....K......K.C.I...K.Rich..K.........PE..L.....Z`...........!.................................................................W....@.................................0...<....@..h'...........L...6...p..........T...........................8...@............................................text...7........................... ..`.rdata..~X.......Z..................@..@.data........ ......................@....rsrc...h'...@...(..................@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMService.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	365304
Entropy (8bit):	6.394569981481964
Encrypted:	false
SSDEEP:	6144:L15MyaGTrkrrNsg2OVHdlpIuGeqjPINDerbQ9mErScI0ILd+AOIkTBXvXvi:LjMyaGTrbgJVHdlpIuPqjeDHQd+WkTZK
MD5:	26AC20E2F474AC15E0785770931001C3
SHA1:	2BB6CC026B7766D2BACF71E257836771DD8EA462
SHA-256:	2A8A64EBBFBFFDA40DB3EB7F6DD9EFAB0143818637914B6246FBA81D938FA897
SHA-512:	C8669A17D1F4CE7C49325905FC3632FAA420835C775196B6346252BD3F354B86E96EEECCFD1D654F278111F72F61E038D45944BBE8AF75715C650039434644CF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n..@...@...@...Td..O...Td......Td..V....a.A....g..Z....g..b....g..~....f..F...@.......Iw5.U....f..K....fY.A....f..A...Rich@...........................PE..L...d.Z`.................B...................`....@..........................0......9.....@.................................@........................\...6..............T...............................@............`..........@....................text....A.......B.................. ..`.rdata..<S...`...T...F..............@..@.data...............................@..._RDATA.. ............ ..............@..@.rsrc................*..............@..@.reloc...........0...,..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	113400
Entropy (8bit):	6.717039641153143
Encrypted:	false
SSDEEP:	1536:rBZE+BiaIZbzwd3xHqouKOvjFC5siqiF2Cml9wsW5cdYP0ipZnlBpV2q73hG8:rfPBevwdBHqouK2OF2fxYPhpZnlBpVQ8
MD5:	DFC9A458625B2095D18A17FF37EEDE74
SHA1:	7B397E54EB28167DBA481B0AE6A64D8B72A24DCA
SHA-256:	AE13B7B55095775805A2A2D0AB8DD224678B1F08556252431107A9F3AA3A0FF3
SHA-512:	6B027EA5AE8BF21ACEC150D9B56C9FA8579E2F3BF357F17BF3ED08E9D2C37C3D194FDB4207A04D9B3E2FE700A6660AD28B9655E40764A78951EC312878660C92
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........M..AM..AM..A.,>AG..A.,<A;..A.,=AU..A...@Q..A...@B..A...@_..AD.\AH..AM..A,..A...@O..A...@L..A..0AL..A...@L..ARichM..A................PE..L.....Z`...........!......................................................................@.........................`u......Hv..<........................6......,....m..T............................n..@...............<............................text...+........................... ..`.rdata..`m.......n..................@..@.data................f..............@....HookSha.............n..............@....rsrc................p..............@..@.reloc..,............r..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\TurboMeeting.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18097912
Entropy (8bit):	6.861983414670908
Encrypted:	false
SSDEEP:	393216:vpxpeembSbs3WKtQ3qitDvUgGxbt9pJFFZm/C:YembH5tMqpgGxbt9pB
MD5:	D973EE70262ADF0A3D8AC412964517F9
SHA1:	5EFF4B9800B66D63213162E7BB009928F86DDBFD
SHA-256:	BD69CC4974617A01D2759AAB58CDDE4AF9199B8102E325178C2AE043E6783E28
SHA-512:	931152E6FE92E58F22EAB65CC693C69736238333078BFEDD294E2D7A547EA6A0179281DB37395C52558A09DEFE48E35AB927539D2A425D0B2587B15FACB271C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$..........W......................7..........]S/................................W...T.......`.......................l..............{......k.......&.....f.........C.....f.......f.......f...............f.......Rich....................PE..L.....Z`.....................xk.....l.X...... ....@...........................*..........@.................................<.............&..............6...p".4H.. ...T...................t.......8I..@............ ..h...P...`....................text............................. ..`.rodata.@.......................... ..`.rdata..d.$.. ....$.................@..@.data....U...@......................@..._RDATA..............................@..@.rsrc.....&.......&.................@..@.reloc..4H...p"..J..................@..B................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\dbghelp.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1229112
Entropy (8bit):	6.534748097696273
Encrypted:	false
SSDEEP:	24576:Z5iAmT4V1XZv3lY0XdaqaYxzxYjievUibP4:t6sc2zxYWLh
MD5:	CC17AE159E28D331B7EC39A4F34527F2
SHA1:	68BACD3808895DB9987F11B63C857E288E022C17
SHA-256:	4BBAE6B52A99355E7C695D901151513235E5B0BF01FF8D5345580D6529763B78
SHA-512:	A5BC90DACD81C278ED4BB3BF862AF1406B4C704845C3F5BE7F0927D4350DA790B7A9FD98E774DEAF5A5004251C45C558EEDE1F797B842E305FBFB6CE8D4A9DE5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................7.f....7.g....6.d..........6.b....6.f....6.g...6.c....6.z....".....6.`....6.e....Rich...........................PE..L...?.JT...........!.....d...........c.......................................@.......S....@A........................pZ..s....B..P....p..................85......h....<...............................J..@............@.......Z..@....................text....c.......d.................. ..`.data............H...h..............@....idata..f....@......................@..@.didat.......`......................@....rsrc........p......................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_CHI.tmd

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	98734
Entropy (8bit):	6.213205562122042
Encrypted:	false
SSDEEP:	1536:+JVl8XN4NaW1f4RbY9xf72f6bycIuf/hkBzmoRrHv7jF35Pm:WNaAf2JueR5O
MD5:	E19C646DDC1E5B7AF92280538A863E04
SHA1:	4C87C7FB61DBC211C80A44928E6D121E55BDC929
SHA-256:	4E51C94EED094DC6A0D895366750C80B71F5270A3FC96DD9B8047A85C87D40A7
SHA-512:	CB3D2CB4921EDDC12C49248C54712E503D304F4830DD528F66F45FE986F2C08A49F7C1FF244E470875843DCD99AC0D8B2D1393BF1AA8636435E96171F61401F3
Malicious:	false
Preview:	ItemID.Item.File..PCGUI.PBindToWiFiCameraDialog::OnInitDialog.BindToWiFiCamera...APP...WiFi.....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Message..APP......WiFi.....MAC...__WIFI_CAMERA_MAC_ADDRESS__....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Message..APP......WiFi.....MAC...__WIFI_CAMERA_MAC_ADDRESS__....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step1.1.............WiFi....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step2.2.......WiFi........WiFi...SBC_xxx.........11118888.....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step3.3..........PCGUI.PBindToWiFiCameraDialog::OnInitDialog.StartToBind........PCGUI.PBindToWiFiCameraDialog::OnInitDialog.WiFiCameraBindFailedMessage..APP.......................WiFi....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Chang

C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_CHIT.tmd

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	98737
Entropy (8bit):	6.215204537239651
Encrypted:	false
SSDEEP:	1536:2UTro5Z6TEq4scziYJT5zObw/+6BflWS+zgqmIWbdKh7lBn1Mzhq/z:2/OEZNiQJ//YSQBWEB1MNyz
MD5:	B34E838E74870B3094DA1DB18FEC92EA
SHA1:	4414DC5F71FACCED09700C12769E61674574ACC7
SHA-256:	3C34B2B116B9017826EB48CF6A6F44EC134FC36F07AD9171B233AC2DC0BFDF34
SHA-512:	F2B81CB346AC3E5296B497FF2E86FC2A12B0875DA8FABA4F6488DAE7AE8720FD86BC50B4DA00E6B17ADF05385A7546E420CAE662A843870B68DB8F7649CA1AC4
Malicious:	false
Preview:	.ItemID.Item.File..PCGUI.PBindToWiFiCameraDialog::OnInitDialog.BindToWiFiCamera...APP...WiFi.....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Message..APP......WiFi.....MAC...__WIFI_CAMERA_MAC_ADDRESS__....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Message..APP......WiFi.....MAC...__WIFI_CAMERA_MAC_ADDRESS__....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step1.1.............WiFi....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step2.2.......WiFi........WiFi...SBC_xxx.........11118888.....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step3.3..........PCGUI.PBindToWiFiCameraDialog::OnInitDialog.StartToBind........PCGUI.PBindToWiFiCameraDialog::OnInitDialog.WiFiCameraBindFailedMessage..APP.......................WiFi....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Ch

C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_DTH.tmd

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	Unicode text, UTF-8 text, with very long lines (548), with CRLF line terminators
Category:	dropped
Size (bytes):	100703
Entropy (8bit):	5.124902678296755
Encrypted:	false
SSDEEP:	1536:+Wb9wI5cfMI/1caAp3PNlYJbNW4fryglWFTNNP1cAZJeYt:+AXBfNNLpt
MD5:	FFC94815BCC52593E591F1DB945DA142
SHA1:	09FD651AD0316F616374809EE23548ACAAB8E0E6
SHA-256:	85A9060D5370A433A147483EA8CD5129D6B77D3FC6C85861BE43E51C83FBB082
SHA-512:	1CC917DE72F7900BAA6E56CF7984EDCC0A9122B77C7C9FC05507D86F87A82827EAED9B58385075CBA9EB6C9E18E7CF44F5339F6F616BD0985F607EF80FB4E7BB
Malicious:	false
Preview:	ItemID.Item.File..IOSGUI.SharingWindowController::CreateScreenStreamingView.StopScreenSharing.Scherm delen stoppen...IOSGUI.SharingWindowController::CreateScreenStreamingView.ScreenSharingHeader.U deelt het scherm...IOSGUI.AppDelegate::UseBluetoothAudioDevice.BluetoothConnectionError.Maak verbinding met een Bluetooth-apparaat en probeer het opnieuw...UserObject.*.new_meeting_flooded.Er worden te veel nieuwe vergaderingen gemaakt. Gebruik geplande permanente vergaderingen om nieuwe vergaderings-ID's te verminderen....PCGUI.PColorLevelSettingDialog::OnInitDialog.ViewerCanRequestToPresent.Sta kijkers toe om te vragen om hun bureaublad te presenteren...GUI::EmailInvitation.OneTapDial.Met ..n tik op de knop...PCGUI.PhysicalGUI::StopReconnecting.StopReconnectMessage.Je verbinding met de sessie is niet stabiel. Kies een ander netwerk (bijv. Bekabelde verbinding), mobiel apparaat of computer. Doe dan opnieuw mee aan de sessie....MyLogSink::OnLogMessage.StopPhoneCall.De audio-apparaten worden

C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_ENG.tmd

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	Unicode text, UTF-8 text, with very long lines (549), with CRLF line terminators
Category:	dropped
Size (bytes):	100929
Entropy (8bit):	5.147580502649148
Encrypted:	false
SSDEEP:	1536:ia4RZIsFlmecKeJYPXI6QhI4LIskWWP1A8/qLb21sakNAEsKq:idpl+KWUUK1KAEsKq
MD5:	822E31DFDFCB95A50B6D28DF87608CD6
SHA1:	9C811ADE35B8F0B7C4B6F69861755539499F10F4
SHA-256:	4A1F173B90493324698E29F089D829D0F6FAAAA728405EBFF602D86D72B77BA6
SHA-512:	A37824FEEC7C3CA968E2DE2C36D213E662C1063D624534E1C420E8F3AD03C0285B6674858C8D6E5C0B7F6D74515F9E21FD01BBCC1E67BFD843F200C568FBCA4E
Malicious:	false
Preview:	ItemID.Item.File..PCGUI.PBindToWiFiCameraDialog::OnInitDialog.BindMessage.Steps to bind this App to a WiFi camera...PCGUI.PBindToWiFiCameraDialog::OnInitDialog.ChangeMessage.You can change the binding by the steps below...PCGUI.PBindToWiFiCameraDialog::OnInitDialog.RemoveBinding.Remove binding...PCGUI.PBindToWiFiCameraDialog::OnInitDialog.ChangeBinding.Change binding...PCGUI.PBindToWiFiCameraDialog::OnInitDialog.WiFiCameraBindFailedMessage.The App failed to bind to the camera. Check if this mobile device has connected with the camera.s WiFi....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.StartToBind.Start to bind...PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step3.3. Click the binding button...PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step2.2. Go to your mobile WiFi settings. Select the camera's WiFi name "SBC_xxx" and input password "11118888"....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step1.1. Power on the camera and start the camera's WiFi....PCGUI.PBindToWiFiCameraDialog::On

C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_FRE.tmd

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	Unicode text, UTF-8 text, with very long lines (640), with CRLF line terminators
Category:	dropped
Size (bytes):	110287
Entropy (8bit):	5.212768658752966
Encrypted:	false
SSDEEP:	3072:B91DfrgmvCPrPalKTebn+Hphc2C0OK5nOL4:B91DfrgmvCzPalKTebnkPc2C0OK5nO0
MD5:	9F9EFFC7E14CFEF695D97BA63D261341
SHA1:	15B649B698ACD53963E3442348EBC729A04B857C
SHA-256:	6F773A3B38D8CE1F077A53655F221559BF36F0A2E5611723167028DE759FB45A
SHA-512:	96193D061C8C92AED1124CF4577A1242A5B0ED4A45176CDBB22486277FC1B9E88896A825C5135C05014ECDF0A1659ECAB079E877F3C9B003CC8588793810FD41
Malicious:	false
Preview:	ItemID.Item.File..IOSGUI.SharingWindowController::CreateScreenStreamingView.StopScreenSharing.Arr.ter le partage d'.cran...IOSGUI.SharingWindowController::CreateScreenStreamingView.ScreenSharingHeader.Vous partagez l'.cran...IOSGUI.AppDelegate::UseBluetoothAudioDevice.BluetoothConnectionError.Veuillez vous connecter . un appareil Bluetooth et r.essayer...UserObject.*.new_meeting_flooded.Trop de nouvelles r.unions sont cr..es. Veuillez utiliser les r.unions permanentes planifi.es pour r.duire les nouveaux ID de r.union....PCGUI.PColorLevelSettingDialog::OnInitDialog.ViewerCanRequestToPresent.Autoriser les spectateurs . demander . pr.senter leur bureau...GUI::EmailInvitation.OneTapDial.Une touche de num.rotation...PCGUI.PhysicalGUI::StopReconnecting.StopReconnectMessage.Votre connexion . la session n'est pas stable. Veuillez choisir un autre r.seau (par exemple, une connexion filaire), un appareil mobile ou un ordinateur. Rejoignez ensuite la session....MyLogSink::OnLog

C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_GER.tmd

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	Unicode text, UTF-8 text, with very long lines (554), with CRLF line terminators
Category:	dropped
Size (bytes):	106207
Entropy (8bit):	5.183805880890507
Encrypted:	false
SSDEEP:	1536:aJjLa8C/+uYoh4kVzmosbCsYJYT8T1BN4UO4m5Bz2JvIxh7tGTvpc:wINVP+OJWhM6
MD5:	9AD8EDBE48A03EA9F026A63D1950F59C
SHA1:	D4CFB9555DDA08DC2582B18C54CED31282F7602E
SHA-256:	326816125FA54D4A09723807EF47884241B3513E8A52F42CAD66AC177E040A6D
SHA-512:	E358C2B7A9827D14A8DED104F79A613C765042A016073FE166E40BBD0500EC0D129169180FA3F3745635378DBF4F9E7903F812B2EE9C8A713A9EBAF3F9211CFE
Malicious:	false
Preview:	ItemID.Item.File..IOSGUI.SharingWindowController::CreateScreenStreamingView.StopScreenSharing.Beenden Sie die Bildschirmfreigabe...IOSGUI.SharingWindowController::CreateScreenStreamingView.ScreenSharingHeader.Sie teilen den Bildschirm...IOSGUI.AppDelegate::UseBluetoothAudioDevice.BluetoothConnectionError.Stellen Sie eine Verbindung zu einem Bluetooth-Ger.t her und versuchen Sie es erneut...UserObject.*.new_meeting_flooded.Es werden zu viele neue Besprechungen erstellt. Verwenden Sie geplante permanente Besprechungen, um neue Besprechungs-IDs zu reduzieren....PCGUI.PhysicalGUI::StopReconnecting.StopReconnectMessage.Su conexi.n a la sesi.n no es estable. Elija una red diferente (p. Ej., Conexi.n por cable), dispositivo m.vil o computadora. Luego vuelve a la sesi.n....PCGUI.PColorLevelSettingDialog::OnInitDialog.ViewerCanRequestToPresent.Erm.glichen Sie den Zuschauern, die Pr.sentation ihres Desktops anzufordern...GUI::EmailInvitation.OneTapDial.Ein Fingertipp...MyLogSink::OnLogMe

C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_ITA.tmd

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	Unicode text, UTF-8 text, with very long lines (545), with CRLF line terminators
Category:	dropped
Size (bytes):	106960
Entropy (8bit):	5.094814632767334
Encrypted:	false
SSDEEP:	1536:xyuuPyyX/7kfVZNyPBqYV7jRRHXkRX4lKSFHEkYcvdRKU33LQ:JY/gNyPBqMdvdsUHLQ
MD5:	555BA58246B88D60247B6C9D6FA9106F
SHA1:	B040E9A84618FBD0340755C500F92CE9E692A0A8
SHA-256:	FC60DF878A62C597BF669F24178E1AEB73D619F15385CAC798A654120141012C
SHA-512:	921AA1946E07ECBEDD00A0AD2D58442820C17FE310FE1F6D0CA6F464A773F7EA6EFF64E315D319E79F9644ADAC66B65D6F02A147A941A5F1F9C05580C7034C21
Malicious:	false
Preview:	ItemID.Item.File..IOSGUI.SharingWindowController::CreateScreenStreamingView.ScreenSharingHeader.Stai condividendo lo schermo...IOSGUI.SharingWindowController::CreateScreenStreamingView.StopScreenSharing.Ferma la condivisione dello schermo...IOSGUI.AppDelegate::UseBluetoothAudioDevice.BluetoothConnectionError.Connettiti a un dispositivo Bluetooth e riprova...UserObject.*.new_meeting_flooded.Sono state create troppe nuove riunioni. Utilizzare riunioni permanenti programmate per ridurre i nuovi ID riunione....PCGUI.PColorLevelSettingDialog::OnInitDialog.ViewerCanRequestToPresent.Consenti agli utenti di richiedere di presentare il proprio desktop...GUI::EmailInvitation.OneTapDial.Quadrante con un tocco...PCGUI.PhysicalGUI::StopReconnecting.StopReconnectMessage.La tua connessione alla sessione non . stabile. Scegli una rete diversa (ad es. Connessione cablata), dispositivo mobile o computer. Quindi riconnettiti alla sessione....MyLogSink::OnLogMessage.StopPhoneCall.I dispositivi audio veng

C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_JPN.tmd

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	Unicode text, UTF-8 text, with very long lines (317), with CRLF line terminators
Category:	dropped
Size (bytes):	115144
Entropy (8bit):	6.00340553785929
Encrypted:	false
SSDEEP:	1536:YzqVDx79PZLoxGAr36wb2cY/1w2E4i91sG9z1aknzGBp:Y7w6RNc
MD5:	F8FA38EBCA233B3B805311979EC31646
SHA1:	850778B2F3949D28C858534720E4CD1E154786F9
SHA-256:	E45D81061CF6ED74405D4EBF3BC530489F6A780B84DF510894F8B0A8D4D8A89E
SHA-512:	C72C9A783E34DB019FD4FBB251018B215D2157FDDC70D273E76C3E5B59AA836097ED22CC341093BECCE8C367B89F03503F636D93070AC4C2988A738E6D5C5917
Malicious:	false
Preview:	ItemID.Item.File..IOSGUI.SharingWindowController::CreateScreenStreamingView.ScreenSharingHeader..............IOSGUI.SharingWindowController::CreateScreenStreamingView.StopScreenSharing...........IOSGUI.AppDelegate::UseBluetoothAudioDevice.BluetoothConnectionError.Bluetooth..........................UserObject.*.new_meeting_flooded.................. .....ID.................................PCGUI.PColorLevelSettingDialog::OnInitDialog.ViewerCanRequestToPresent............................GUI::EmailInvitation.OneTapDial.............PCGUI.PhysicalGUI::StopReconnecting.StopReconnectMessage.................... ...................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_PRT.tmd

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	Unicode text, UTF-8 text, with very long lines (371), with CRLF line terminators
Category:	dropped
Size (bytes):	111713
Entropy (8bit):	5.192325235869865
Encrypted:	false
SSDEEP:	1536:bW+KreYBSzy/PYiMinpCLmQnPHYKhGcVQwfujuAbjyftfJBiW/nv2hY3:a+KyzoP3MiuHPEna0m
MD5:	6A3E7509311BE81CC2FFCAD1B697F3BD
SHA1:	E24348698A2F8E316D017A47903683B08B7EC9CB
SHA-256:	5A92A07D17108EA6D852108731A2F7CB92F610AD485505D7F8F02BAFF5F5184F
SHA-512:	8ACD6DDD22FC65E7745691E27CA811885C7F9C760191BEBCC9108269745B5A284FF5D6B884E3E45C662FE2D9392EF2A6AD46DE4A73E28C70409CC58FB45539E1
Malicious:	false
Preview:	ItemID.Item.File..IOSGUI.SharingWindowController::CreateScreenStreamingView.ScreenSharingHeader.Voc. est. compartilhando a tela...IOSGUI.SharingWindowController::CreateScreenStreamingView.StopScreenSharing.Interromper o compartilhamento de tela...IOSGUI.AppDelegate::UseBluetoothAudioDevice.BluetoothConnectionError.Conecte-se a um dispositivo Bluetooth e tente novamente...UserObject.*.new_meeting_flooded.Muitas reuni.es novas s.o criadas. Use reuni.es permanentes agendadas para reduzir os novos IDs de reuni.o....PCGUI.PColorLevelSettingDialog::OnInitDialog.ViewerCanRequestToPresent.Permitir que os espectadores solicitem a apresenta..o de sua .rea de trabalho...GUI::EmailInvitation.OneTapDial.Marca..o com um toque...PCGUI.PhysicalGUI::StopReconnecting.StopReconnectMessage.Sua conex.o com a sess.o n.o . est.vel. Escolha uma rede diferente (por exemplo, conex.o com fio), dispositivo m.vel ou computador. Em seguida, volte . sess.o....MyLogSink::OnLogMessage.StopPhoneCall

C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_SPA.tmd

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	Unicode text, UTF-8 text, with very long lines (616), with CRLF, CR line terminators
Category:	dropped
Size (bytes):	106752
Entropy (8bit):	5.170056613944853
Encrypted:	false
SSDEEP:	1536:Q7fLnQkna9+AEKjKsbC85Yzg13U6J+Jtr2FphWz9Brw5Mv:QLa4HkdwDw5Mv
MD5:	59F4A43B89E599128DA95F68C6C93C5E
SHA1:	5DE54065488D0417EC2C655F156FC6EDC173ECB4
SHA-256:	B27C22AC64E6D231AE4C17CB93E0A889D376F24EA44864AC15349C7F70C94910
SHA-512:	A016029C5A9288755C96793FDBECFC2663FFC3B6C3E6DB28B9A786D52458D8B9B4500FB923D1D58CA282EC92D1430DC550D368D664E8EE3F7BACABFBE4434D5A
Malicious:	false
Preview:	ItemID.Item.File..IOSGUI.SharingWindowController::CreateScreenStreamingView.ScreenSharingHeader.Est.s compartiendo pantalla...IOSGUI.SharingWindowController::CreateScreenStreamingView.StopScreenSharing.Dejar de compartir pantalla...IOSGUI.AppDelegate::UseBluetoothAudioDevice.BluetoothConnectionError.Bluetooth..........................UserObject.*.new_meeting_flooded.Se crean demasiadas reuniones nuevas. Utilice las reuniones permanentes programadas para reducir las nuevas identificaciones de reuni.n....PCGUI.PColorLevelSettingDialog::OnInitDialog.ViewerCanRequestToPresent.Permitir que los espectadores soliciten presentar su escritorio...GUI::EmailInvitation.OneTapDial.Dial de un toque...PCGUI.PhysicalGUI::StopReconnecting.StopReconnectMessage.Su conexi.n a la sesi.n no es estable. Elija una red diferente (p. Ej., Conexi.n por cable), dispositivo m.vil o computadora. Luego vuelve a la sesi.n....MyLogSink::OnLogMessage.StopPhoneCall.La

C:\Users\user\AppData\Local\Temp\tm_starter_dir\dictionary_client_TUR.tmd

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	Unicode text, UTF-8 text, with very long lines (555), with CRLF line terminators
Category:	dropped
Size (bytes):	68108
Entropy (8bit):	5.415653899818446
Encrypted:	false
SSDEEP:	1536:yNpOdmNoOlqF6sVw9uue4XE/ZIwSzpx06:CpOdmNY6v8uE/SwS166
MD5:	01E157ED08E05ED80052AD8DF404B530
SHA1:	FD6229C6410350C30D5B7907DB42C521FC3EDB62
SHA-256:	295A963CCE972904ACF33153C7CAF731027A36B5B8F5249EAAFC5B5D03012D67
SHA-512:	1EEE1112B12FB3FEAC86F9555AF20AB1A16EBF0FDDE09004D4A294603B4BC9A15105B6453BB31B2741998BA781527B339F5174D04B7FA3792172035C20582F0A
Malicious:	false
Preview:	ItemID.Item.File..EmailInvitation::CreateEmailMessage.TipsWireless..PUCU : Ekran tazelemesinin yava.lamas.n.n ve kesilmelerin .nlenmesi i.in telsiz ba.lant.lardan ka..n.n....EmailInvitation::CreateEmailMessage.TipsHeadset.Mikrofon ve hoperl.r.n.z. kullanmak i.in kulakl.k gereklidir (VoIP)....EmailInvitation::CreateEmailMessage.OptionalNumbers..ste.e Ba.l. Numaralar...PCGUI.PAttendeeListDialog::OnRightClickAttendeeList.MoveToTheTop..ste git...PCGUI.PAttendeeListDialog::OnRightClickAttendeeList.ShowInShortList.K.sa Listede G.sterim...PCGUI.PAttendeeListDialog::OnRightClickAttendeeList.ChatTo.Sohbet mesaj. g.nderimi...PCGUI.PAttendeeListDialog::OnInitDialog.ParticipantList.Kat.l.mc. Listesi...PCGUI.PHostMeetingDialog::DisplayAlertMessage.WebinarAlertMessage.Kat.l.mc.lar VoIP kullanamazlar....PCGUI.PAttendeeControlDialog::OnInitDialog.RaiseHand.S.z alma iste.i...PCGUI.PAttendeeControlDialog::OnInitDialog.LowerHand.S.z alma iptali...PCGUI.PHostControlDialo

C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\ApplicationIcon.ico

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	MS Windows icon resource - 6 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
Category:	dropped
Size (bytes):	22486
Entropy (8bit):	3.442256410134587
Encrypted:	false
SSDEEP:	384:AD/IIsIIED9mDKzj8gmUf+SJHgIIsIIzCvA2TDv:oIIsIIJgmUf+ugIIsIIzCvlTDv
MD5:	883746CDA8ECF40EF07D2F26A687E550
SHA1:	88D8D8D7676AE4890C06ACED19212122BE59F44E
SHA-256:	4435E5C62BE3B529D5E2100B5F1F57EDCC2BE82281601313BC8594E52C445D66
SHA-512:	A8CA2E91AAC490EAEEEEEEAF21F9DE64FC1E24A5D690790BEC09E694A3738F12FB4FCADEA799FC54F9D4B766A5C951873F39BB4875E5D58B75243B4E2833F018
Malicious:	false
Preview:	......00..........f... ......................h.......00.... ..%...... .... ......B........ .h...nS..(...0...`.......................................'Z..&W..,f..+c..(]..ff..ff3.fff.ff..ff..f...f.3.f.f.f...f...f...f...f.3.f..f...f...f...f.3.f...f................3...............33...f..3.......f...f3..3f..f...f...3....3...f...................3.f.f..................3...f...................3...f..........3...33..3f..3...3...3...f...f3..ff..f...f...f......3..f................3...f..................3...f...............3...f......3...33..3f..3...3...3...f...f3..ff..f...f...f........3...f...................3...f..............3...f.........ff..f.f.f....ff..f....f.!...___.www.....................................................................................xTk..F..p)..'Z..'Z..'Z..'Z..'Z..'Z..'Z..'Z..'Z..........................................................................xTk..F...(......................................................................'Z..'Z..'Z..'Z..'Z..'Z..'Z..'Z

C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\CTMeeting.ico

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.268540394824082
Encrypted:	false
SSDEEP:	192:jG8oSNa2uVZZXk6w+tldx2+E5K7sWpK0nqNeSMAo80TxzHOOTvVmASzc:jGSNHuVZjN7a5KIWGo80BBvVlD
MD5:	F366C80B222E8E83D5EC6D90959C2C45
SHA1:	CBEFD8DC9C8E342C6165D0F9C1FCFB177D2E01BE
SHA-256:	8CD38C8E1A62198BEA0BCC85C0B339A835E460ED08A8D8C98BE524B528F07531
SHA-512:	DB1C073C9A7837D8D3D1E3F654C8C95060971130CDD527CDD1365CDFE48CC2BED963FB0D574A4705BA92E2E70102F73795ADF97EDF9EDAAB3EEEFAA03D3E8517
Malicious:	false
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%...............................................................................t.......n.%.s...t...r...r...r...r...r...r...r...r...t...s...p.(.....t.......................................................................................................................s.......p.U.r...n...k...n...o...p...p...p...p...o...n...k...n...s...p.Z.....v...............................................................................................................q.......o.@.r...m...1.....................................3..m...s...o.F.....q.......................................................................................................m...........s...m...A..................................................F..m...s...R.......n...........................................................................o...s...v...t...r...p...p.......p.(.r...r.............U..Q..F..C..C..E..O..T.............s...r...r.,..

C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\DummyWebcam.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PNG image data, 64 x 64, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1867
Entropy (8bit):	7.3280619152848905
Encrypted:	false
SSDEEP:	48:0wqQNn2xUJ3fw0ww2sq4fl7OYo8QUDTNVS4XrAK9:kY2L0J2l49yx8FDTJT
MD5:	2CFEED234A8558FAFA50655ACB115FD8
SHA1:	2FFB1A9FE6536723E96AE500554D3ABEED2147FC
SHA-256:	615861E3BE02B7EBCF9378BBFEEFE969B503A11C738DFBD9A6514029205646F9
SHA-512:	DA7E66A2DA8EB2363583A9C055B590385412BB924FC0D0D28D8CBFDE9567DD0AB98019F1EC752B16F590764C1D287AEB583B90458820A3D6A75C43E59C7B6583
Malicious:	false
Preview:	.PNG........IHDR...@...@.....%......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:B17AB45350AD11E5B1EDE5C7D0C88953" xmpMM:DocumentID="xmp.did:B17AB45450AD11E5B1EDE5C7D0C88953"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B17AB45150AD11E5B1EDE5C7D0C88953" stRef:documentID="xmp.did:B17AB45250AD11E5B1EDE5C7D0C88953"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.......IDATx..[O.@..[Z.P...(r.K@.$....#b..xb F..".x.D.:.r..t..0&....C.u.........eS~.~.~.LJ..K.Ng4........n......T*

C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\IMDefault.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PNG image data, 56 x 56, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2927
Entropy (8bit):	7.901864294096541
Encrypted:	false
SSDEEP:	48:z/AblbrVP517clW9u74PZi5QTsp+9MbP6f8/2X5vZHUcYFye:z/A5bxj7cQ9u7yZ8QTP9KT2XHdYFye
MD5:	6E8F635F6528CC0433861A8DFB0C2D30
SHA1:	E85EC2E9154D1B12835E0590ED00C22A49E3A6DB
SHA-256:	A8CC2B4C182384537CAD5E091DFF777F6806E77EED0E5800B96C573E4FBC1A00
SHA-512:	12F54F49FDDF6857A840608ED070822C7491D6C15B56F6F5A024C27A28264ED1525FAB4D57F9716D49C284BBF24A677A46F8F084BFBBF485D0F62D11B5CBC725
Malicious:	false
Preview:	.PNG........IHDR...8...8.......;....6IDATx...S.w.....d..k....KQL...n..2..../....51.A.a....1....<y...L.E..W.=....w..W..Dd._$..$.DF%...1.K.y9I..[.xzaK..:.1..X".G$.[../...:l..?..V......K.T.v7...O.T8.8.Z...5Y.....V$..+.\|4.P.........@...HR!....+.AS.xZ.9r.... ......#...73M....6...P3U.K.....[q....0.......f.j>Y. b....n...T..=...(b.......M.wf.v.q.py@0.....eb.$S..D.9Ys...i.}...K9...i..=u.R..$=..S..B...'Ss..r...~3.QIf.....M5..l.p:.....r.Yz.B..........{....S..F>..c9..L....7.....r.;....b(..d~I.^....U[..}R..H]S.x.[.>..5.f....k...^9...}^~yU..q..F$._.y..S1L;..i(.c..H...R....ni.? M.}...%.Mm.9R...o../.@.T{}.._...R.Q\|XU....3.9.y.q.KC.....T.Z$.}@j.....Y..@.B..{.X.......&.j........,=_WSE.;o...D...x&$..?.0...n.O5...B..`\|.wk.....#..Mj.7G...+4.v. G....{.~....$G...D.....+{.......m]2xs...vE..r#.=........i. .J..k@..L...FM...=....2.tF.............).....+.........[S/M..r..y.M....R...o...)I..2=....^M..-...Dk.MN..........q.P<!.......\....V.A..@.......0S.....D....}.....%+.

C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\MXmeeting.ico

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	3.7348281735284137
Encrypted:	false
SSDEEP:	96:jvVmqKjOvFd0+uYDkY4RkQWyt9aKdk/o3H4VGr1fSLzeIBvCWV2auhbfgX:j9mqdT0HVt9aKdDSLl6kBbX
MD5:	E7D9E81AFA9CB104E0FE70EE9DABCB6B
SHA1:	FA2D7DF277CD730BAD0786F5BA92D3E5D777403B
SHA-256:	A04E701256B583F226CE290D979B19D51A6EA4C5A94341E4E35DB1CA94DDC6E8
SHA-512:	1FDE7F4C1387FBE304ACBD1EA2479A89306AC90BDF72C6C5AB88B92C44183DFBF7F01729B23C112D77AB7378D4FB007EB2343B50974436C84D69E51C11656A72
Malicious:	false
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\ProfileInfoDialogBackground.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 98 x 24, image size 394, resolution 2834 x 2834 px/m, cbSize 448, bits offset 54
Category:	dropped
Size (bytes):	448
Entropy (8bit):	4.671818727412439
Encrypted:	false
SSDEEP:	6:7AldcJ6RqNJp743UTxdhTbVld5RH2IQhTnTfJrf9K9LPpPip2DGZOGGu9uDUEnQi:7ASgyH2TnTfVwHZXGGuYgQQI5VSQtL
MD5:	A8A6EF427C5C0EDE5C70AF58AA5680DE
SHA1:	127365EAF32CEE2BA7A958E766FDCCAD0E3C50C6
SHA-256:	1D3F66E964CD9BFF854A550D5ACBB55B2C2027C05CEB7A9396A691B1C9D8C6C2
SHA-512:	C2EC78255EC33AF2AE799972AA275C8FA3378D56092B480C4F39105CB5978983C16B97C33E94CCB5D76886340EEA116B08C207A1D593945B7F600ED7C8751E41
Malicious:	false
Preview:	BM........6...(.......b.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\Separator1.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PNG image data, 266 x 9, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	715
Entropy (8bit):	7.529061088532927
Encrypted:	false
SSDEEP:	12:6v/7dZXLr+yakAkKVlTMtHQOXSL8OW8Nv9XBnzvN3RH/F4ibFLRrcawCajNuk9:gZ3hankqlg1SLR9DnzN3B/FXbFhcawC8
MD5:	B7CCD0351EB77445E7323F2BB74788FD
SHA1:	E0525DA70A851E6DC72D57DD9064F16B949C2A26
SHA-256:	8BAA0FEAF55D59C0929419101BDAB9EA326348F13DE8B68EDFB710076F0C3F78
SHA-512:	34015ECA33A939E74481334A55DB4731D2777B4975E4BCDD648A8DF1CEA80E2C65E93047A5D9C22C681D1CA417CCED190C65E58E8099B740CA669DC9BF829579
Malicious:	false
Preview:	.PNG........IHDR..............(b.....gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...]IDATx..mo. .......q.T....$i.HS.`l........-.n.}...{.:.>".q...&.i".y}[...y..?&.&..b-.;.x.6....hp.}.v..N..:........+.>...h3........."V......W9.q)..gC1G.w..?+....h....0@QBW....w?.5...y..$.{...s`.."z.+.N.E...3..'.3....q}.....@...D...J>.l"...U<.9....(.."+T+..-..l.m..f...4^....:..K.=....0.......U.+....}d0a.)."E...{&L&.x....Ag...2....+.j.Eo..T....Z{..j.eW.....qa.#....t.X.L..e.*;]../...:BA\|..N....@,.X..u\|^..t..p.`..@%.Q.....N.....8.W..H@a..y...Q)..Kf..!...:.K......{`...O-.;. +B;./[..g8.....n....w..x.6<A.;b.r.........d?.a7._..W..pA...~..=a...].uw!....y...b.\|..\|.b..M..?..{.=u..0..nD.........IEND.B`.

C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\SeperatorLine.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PNG image data, 260 x 1, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	132
Entropy (8bit):	5.413824965565243
Encrypted:	false
SSDEEP:	3:yionv//thPkYtS1clSl0tRthwkBDsTBZtzdatFcEoXa/ljp:6v/lhPkYtS1Rl0znDspzWTAa/Vp
MD5:	4CE28B32C7836663CE74B29F11D176A7
SHA1:	608EBF86C32394E609ACB091E5FEFCB0AF4B9D39
SHA-256:	4199A78439525D778CF91FA5DEFE0C68320B3E51B3EB9C7672939DD4B2F33E50
SHA-512:	E5DF9C12F74A92898A78702935C454CA0314997D7BA36B89126BBF177FD652B5DFECFE8C3687A117D60810FCDB0BCC91ABCDEF7F19B6C4FFB8725F793CC1BD02
Malicious:	false
Preview:	.PNG........IHDR...............GZ....gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx.b.w...(...... ...!..S.L.....IEND.B`.

C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\TurboMeetingWatermark.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PNG image data, 274 x 312, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	15525
Entropy (8bit):	7.955817620038244
Encrypted:	false
SSDEEP:	384:md1Xn6jtWIg9t84o4cSmkLjWKmVQWMVwIp8VNP+6YLET2:m3XnLIYt84/KaiRQsImP+gT2
MD5:	C939AF5F23D396F55808E95668C73C18
SHA1:	3E8767C4FCB16767E6E04A34A9B81B74C061E411
SHA-256:	B128C15EA8BB492570E441F2BD3F81D1A481C75997AE107A1D9E830C98067FD9
SHA-512:	BE5D99BEDEB70C53B127BCED885C704C1E7E42634B64A5DE9E4B9138CB91C14C5D774CE27742118E6549D7F562AD5DAFD1395AB02BFB7E04B431F18FDCE16B7C
Malicious:	false
Preview:	.PNG........IHDR.......8.......L.....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:B337DD93A04411E3A7E0B3415030DDAB" xmpMM:DocumentID="xmp.did:B337DD94A04411E3A7E0B3415030DDAB"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B337DD91A04411E3A7E0B3415030DDAB" stRef:documentID="xmp.did:B337DD92A04411E3A7E0B3415030DDAB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>{.....9.IDATx.b...?..p..Y.......@..@&....@9h.bv(.L.ALTp.2..H.P.P;d..S.4...a.li....1.8.L.5..Zp5..=. ..x...@n....D.t..

C:\Users\user\AppData\Local\Temp\tm_starter_dir\image\Ymeetee.ico

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	3.908826625397295
Encrypted:	false
SSDEEP:	96:jxp0LXMk1/Au7paUVdD+we1RoeeBniFQ+0TxKtp4+3r/+4sR1sXsXsrEI8kT:jLu8cN5dDxerMQEGp4+3q4sHsXsXsrB
MD5:	E20ADBD0C131A94E99FDE12E0C60D247
SHA1:	EE5EB66E8945EC49A178D739834D448350C1080D
SHA-256:	9473FE1FE2D941DB548F70E716DD8ED841DBAC60C02C71A5CE6BA760872DC69A
SHA-512:	E204339033903140FF0765F38F35DAEFD15C4D336D2C2595A04A481E9104CFC96892FCF9621EA4745E5DDB0F57D9A5641422EFF6C03324842ADAC91A61BEB5E4
Malicious:	false
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%...............................C...=...V6&.gG^.oR..qT..pT..qT..pT..pT..qT..qT..pT..qT..qT..qT..pT..qT..pT..qT..qT..qT..pT..qT..qT..qT..pT..qT..qT..qT..qT..qT..pT..pT..pT..pT..qT..pQ..kKk.\96.L)..V0...................y..V...[6..rT.....................................................................................................................................................\|a..[;3d....Q2.........Y5..^<*..k....................................................................................................................................................................cDN...hH..eF..W6...h............................................................................................................................................................................`<6.[7..`B..jJn............................................................zZ..T,..U,..U,..U,..U,..U,..U,..U,..U,..U,..U,..T+..e@...............

C:\Users\user\AppData\Local\Temp\tm_starter_dir\jsproxy.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	25904
Entropy (8bit):	6.967116392745186
Encrypted:	false
SSDEEP:	384:0XganKwtsIS1KgKy/FEvUzoGJk0cOrQDEUcWTyl5nYPLOdGfZiTUdGfZL8JN77hp:0XgQtd6KgKCU3O7uiTHA3hDl
MD5:	7BCD58DF45A40F865E8DBBCB5B2EF6D1
SHA1:	6B8C19C6521CE5E4C8C81F5A59552F3714B15E17
SHA-256:	F8CDAC83B1512B6BCFABC616F3865BF11C049E59E4A2C8B5D5D4F031332D83D8
SHA-512:	DEAA3F5CA55D53EB398328F6910E86AB4E95A5E8B37FD67EE6FBD21C1CA8E747D09544D7A54A01815864C2CEBD376AA5ED34313C21B7235D31450F996C84CA39
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.....X...X...X9?.X...X.>.X...X.?.X...X...X...X.?.X...Xt?.X...X9?.X...X...X...X.?.X...XRich...X........PE..L....n=...........!.....&...................@....oq.........................p......@................................2......./.......P...............0..05...`..p....................................................................................text....$.......&.................. ..`.data........@......................@....rsrc........P.....................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tm_starter_dir\rsp1024hcmd.txt

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1909
Entropy (8bit):	5.116245132023822
Encrypted:	false
SSDEEP:	48:0TK1j1rAalFwzKLdErOCZm9I+BOaknxNVbZKcKWUaP1aPyfl:qK1j1rAalFwzKL6OyYceyd
MD5:	64EE134763F8A59FA41575B54B4C9799
SHA1:	3047D89F40E4B5BD14A300BA0C8E11A9DF403EA3
SHA-256:	6CA7946C4805C3705E6D588455D21131376E94960EDED7FDBBD5DACEB48A916B
SHA-512:	E2438809048CC375554292A693C50D5CCED59B5BCC555996454233DCD0CC16CAD48C43889697C289A8CBEB0A324DD587B8AE5921A6F149091C93236A99BDB392
Malicious:	false
Preview:	<__SetupDirectory__>C:\Users\user\AppData\Local\Temp\tm_starter_dir</__SetupDirectory__>..<__SetupFile__>C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe</__SetupFile__>..<__SetupFileName__>SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe</__SetupFileName__>..<__SetupConfigureFile__>C:\Users\user\Desktop\starter.cfg</__SetupConfigureFile__>..<__AccountServerIP__>support.lockwoodbroadcast.com</__AccountServerIP__>..<__AccountServerPort__>443</__AccountServerPort__>..<__MeetingPassword__></__MeetingPassword__>..<__MeetingId__></__MeetingId__>..<__Role__>attendee</__Role__>..<__Version__>3.0.639</__Version__>..<__Publisher__>RHUB Communications, Inc.</__Publisher__>..<__AboutURL__>http://www.rhubcom.com</__AboutURL__>..<__AttendeeName__></__AttendeeName__>..<__AttendeeEmail__></__AttendeeEmail__>..<__Email__></__Email__>..<__UserPassword__></__UserPassword__>..<__PassThrough__></__PassThrough__>..<__ClientName__>TurboMeeting</__ClientName__>.

C:\Users\user\AppData\Local\Temp\tm_starter_dir\version.txt

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.1182751607709753
Encrypted:	false
SSDEEP:	3:MFW54fQn:MM4fQ
MD5:	8797773BBB9B3585F186FC2684A48F6C
SHA1:	460A68B60688E4AC8A169B5A972E5A0120A977BC
SHA-256:	18805AD87BD499C00BC4B72EC6B52E9EC1B9087760E1741EA73CD53A92CC839C
SHA-512:	A4F8DA05BE6F56A1A8347C58A439638967C0129B21884B5C7C624059C690FED7CD131FB1988C524F8D209C407725E223B388E984506A27803DC0F2CC24FB1D50
Malicious:	false
Preview:	3.0.639..8.0.2..35232

C:\Users\user\AppData\Local\Temp\tm_starter_dir\vistafunc.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91384
Entropy (8bit):	6.590287891967479
Encrypted:	false
SSDEEP:	1536:vtJnUFQOmsbk04O5pVMlhIcfRuu9HsWScdlk6hEKLnm7A3h8P:UKsbL5pVMlmWJlDTLnyP
MD5:	D9F52809F0A87FA85638E08187040545
SHA1:	7A4BAF2DCBA8193AE9209BFF85AF56B18DF9344A
SHA-256:	867B919D932C496BE91FDB3FC0AC489FDFFAE9371463BFC24C844FC7CF63A9E4
SHA-512:	8617F7B992F824294D1B840AA0D04B6C040E3C756907729740CCF56E709CF1509E7A8F79B06901FE944D5DBB5C9EDCF1BFA4C1F166607CD2392EF8B6C81D14C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........N..c ..c ..c ...#..c ...%.Rc ...$..c ...$..c ...#..c ...%..c .....c ..c!..c ...%..c ... ..c .....c ..."..c .Rich.c .................PE..L.....Z`...........!.........................................................p......@&....@..........................".......#..P....P...................6...`..H.......T...............................@...............,...d"..@....................text...W........................... ..`.rdata...Z.......\..................@..@.data........0......................@....rsrc........P......................@..@.reloc..H....`......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting\TurboMeeting Start Meeting.lnk

Download File

Process:	C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Apr 18 03:25:36 2024, mtime=Thu Apr 18 05:15:10 2024, atime=Thu Apr 18 03:25:31 2024, length=18097912, window=hide
Category:	dropped
Size (bytes):	2265
Entropy (8bit):	3.7196011299919634
Encrypted:	false
SSDEEP:	24:8JK229iPLshl0UdPKwg0ALAgNp9MMgpoLMLIESoLMxLkW9AMyycMxLAIJcJtm:8JK22sTszyD30psfkWTrlJcJt
MD5:	93C828CFE3022147DF78D7DCBB08F3FC
SHA1:	0C6371F339BA3C080D235B98D753B2A22D51B1D8
SHA-256:	75DBB468124AB1612FA26966B40B6E03DD250719BED8F2F5DC54AE575408FAA0
SHA-512:	A68B24B2A8C92878809E8F0F966854F8B3C1A1D2DF09D162D2F1E32476A9191B382FA6D0B881EAF05DF0A8D9B78C41F47962CEBA27D8D852FB50F6A62BC7BE0D
Malicious:	false
Preview:	L..................F.@.. ....T(vH.....Z.W...$..rH....&......................F.:..DG..Yr?.D..U..k0.&...&......Qg._...h..hH....6J.W.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.X.1..........................3N.A.p.p.D.a.t.a...B.V.1......X2#..Roaming.@......EW.=.X.1..............................R.o.a.m.i.n.g.....b.1......X.1..TURBOM~1..J......X2#.X.1..........................O:..T.u.r.b.o.M.e.e.t.i.n.g.....b.1......X.1..TURBOM~1..J......X2#.X.1...........................8 .T.u.r.b.o.M.e.e.t.i.n.g.....n.2..&...X0# .TURBOM~1.EXE..R......X3#.X.1...........................br.T.u.r.b.o.M.e.e.t.i.n.g...e.x.e.......\|...............-.......{............[.......C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe....T.u.r.b.o.M.e.e.t.i.n.g. .-. .S.t.a.r.t. .M.e.e.t.i.n.g.9.....\.....\.....\.....\.....\.T.u.r.b.o.M.e.e.t.i.n.g.\.T.u.r.b.o.M.e.e.t.i.n.g.\.T.u.r.b.o.M.e.e.t.i.n.g...e.x.e.<.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboMeeting\TurboMeeting Uninstall.lnk

Download File

Process:	C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
File Type:	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	2160
Entropy (8bit):	2.721062987486075
Encrypted:	false
SSDEEP:	24:8FrxWL+u+hsBsoLMAQnoLMCwLkW9A/RyeMCwLA2Fdqy:8x8Mq2lLkWVACUy
MD5:	A61F0A659081E43BFB0550779F1E7535
SHA1:	C2ACB1AE16315B5C82510CD6647D9BEB57B896A0
SHA-256:	418976BAFE56B0069FE6F77D2B110DACE7F5090DCF2152A441E74C909CFF9C53
SHA-512:	E57ACA66AE53714D1F8411BAB7EBA269B92E4F9157DD54CCFBD407C247FD3D0268F6484B168964F19FA32E4F6DFAB52A931F61B713B5F84090C23E0CAE122A1F
Malicious:	false
Preview:	L..................F.@......................................................U....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D............................................f.r.o.n.t.d.e.s.k.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....f.1...........TurboMeeting..J............................................T.u.r.b.o.M.e.e.t.i.n.g.....h.2...........TMRemover.exe.L............................................T.M.R.e.m.o.v.e.r...e.x.e.........T.u.r.b.o.M.e.e.t.i.n.g. .-. .U.n.i.n.s.t.a.l.l.).....\.....\.....\.....\.....\.T.u.r.b.o.M.e.e.t.i.n.g.\.T.M.R.e.m.o.v.e.r...e.x.e.?.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.T.u.r.b.o.M.e.e.t.i.n.g.\.T.u.r.b.o.M.e.e.t.i.n.g.\.......-.-.c.l.i.e.n.t._.n.a.m.e. .T.u.r.b.o.M.e.e.t.i.n.g.Y.C.:.\.U

C:\Users\user\AppData\Roaming\TurboMeeting\PCStarter.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	786984
Entropy (8bit):	6.461738695456927
Encrypted:	false
SSDEEP:	12288:8Np51L0Z775xs2qnf8PtVXJSLKlK4pKJe5d0nocsxa3k48118t/HY4EErtkTd2hM:6JL0Z/mnet60yocssl8gY4hkTd2hCM+
MD5:	C28568A1EB37159185590BCCF20F9866
SHA1:	DFE01651DA872470E686C2BE78400C80C98FA450
SHA-256:	ED500E8A0B1260F47EF142B06CF08AF8719D003F227C5EF48DD0166C6456D941
SHA-512:	476324F2E9BA91053145A77D36D26020318EE12F336D056861D9556E989771D134FF65BFA18F5090419DA131B082A711635C0E37592551AF25E0BD0575C14F9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 3%, Browse
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......I.A.../.../..././.,..././..././.+.../....../....../....../._.+.../._.,.../.<..)./._..../...+.../....../......./...*.../....../......./...-.../.Rich../.........PE..L.....{_.................z..........3;............@......................................@.....................................@....P..0...............(....@......[..T....................\......H\..@...............`............................text...!x.......z.................. ..`.rdata...s.......t...~..............@..@.data...0,..........................@..._RDATA.. ....@.......t..............@..@.rsrc...0....P.......~..............@..@.reloc......@.......b..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TMInstaller.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	688888
Entropy (8bit):	6.576995195781194
Encrypted:	false
SSDEEP:	12288:UUYb14nVcVw3h4sj2w2QE2uSBlK4bLgyQVW8Xgp1IW6ce+dFqtkTHz+Lqh/:UYnVcV9Y2wFBJF8Xgpm+e+dwkTTJh/
MD5:	8FCA72C59D3A9AA6EDA33C64DAA0296D
SHA1:	5229D88A9E650430719DC5317F8F7601117EF637
SHA-256:	11B64793473C88AA0EF2F9BDE703E9494495029D416E76D954FD3F044EF8FC10
SHA-512:	7D898F74D292C23D8F38A29C2C3D8C2E8F6D610C2CCA5B89B5273222A6E31DB078C266A25C4072533DB4F907BA4F3FC700E020A4E7EBD4FBB4D4EA13D0FAA0A3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........[^...^...^...J...N...J.......J...H......._...W.L._.......}.......B...o.5.N..........W.K.T.......W...^......W.[.........O.....7._......._...Rich^...........PE..L.....Z`.....................Z......x.............@..........................p......}.....@..................................N..,....................L...6.......l......T...............................@............................................text...3........................... ..`.rdata..8o.......p..................@..@.data....n...p...\|...V..............@..._RDATA.. ...........................@..@.rsrc...............................@..@.reloc...l.......n..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TMLauncher.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	688888
Entropy (8bit):	6.576995195781194
Encrypted:	false
SSDEEP:	12288:UUYb14nVcVw3h4sj2w2QE2uSBlK4bLgyQVW8Xgp1IW6ce+dFqtkTHz+Lqh/:UYnVcV9Y2wFBJF8Xgpm+e+dwkTTJh/
MD5:	8FCA72C59D3A9AA6EDA33C64DAA0296D
SHA1:	5229D88A9E650430719DC5317F8F7601117EF637
SHA-256:	11B64793473C88AA0EF2F9BDE703E9494495029D416E76D954FD3F044EF8FC10
SHA-512:	7D898F74D292C23D8F38A29C2C3D8C2E8F6D610C2CCA5B89B5273222A6E31DB078C266A25C4072533DB4F907BA4F3FC700E020A4E7EBD4FBB4D4EA13D0FAA0A3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........[^...^...^...J...N...J.......J...H......._...W.L._.......}.......B...o.5.N..........W.K.T.......W...^......W.[.........O.....7._......._...Rich^...........PE..L.....Z`.....................Z......x.............@..........................p......}.....@..................................N..,....................L...6.......l......T...............................@............................................text...3........................... ..`.rdata..8o.......p..................@..@.data....n...p...\|...V..............@..._RDATA.. ...........................@..@.rsrc...............................@..@.reloc...l.......n..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TMRemover.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	228600
Entropy (8bit):	6.309001563878647
Encrypted:	false
SSDEEP:	6144:MQyEgGJDxpO0ZTXmcANoEEZwBXcAOBXCs9:MQiGJDxpO0ZTXrWcPCm
MD5:	F7A57D58DE9E992509F28477D85EA442
SHA1:	48747FE9CA9D804110462FBEBCC13F4519230443
SHA-256:	B660B3F98E2C45770AF8421E75D7CF7AF71BD7AF8A30EFD4091E75F4D664B2B3
SHA-512:	C12118B16E606CAC969B30462EB0AF501AC7E53A1DFC6BC0635AE3E6C62AA659085DCF19E499F874141CCEBC15245246BCBFA7BA15ECDF5148884A6599B737C8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*.E~D.E~D.E~D.Q.G.J~D.Q.A.~D.Q.@.S~D...G._~D...A.~~D...@.g~D.E~E..~D.L...J~D...A.M~D.....D~D.E~..D~D...F.D~D.RichE~D.........................PE..L.....Z`.............................E............@.......................................@.....................................d....`..p............F...6...p..,...@...T...............................@............................................text............................... ..`.rdata..d...........................@..@.data....y.......d..................@..._RDATA.. ....P......................@..@.rsrc...p....`......."..............@..@.reloc..,....p.......(..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	11258
Entropy (8bit):	4.633973127023923
Encrypted:	false
SSDEEP:	192:/PCYXUhWOpbWVwt98C1hnlndO9nQnUnzn3hsX6H5veh/oQxrB03uc2Ugt2hNa4ow:VkhWOpbW28C1AHkh5UH3aDv7Pl9hblen
MD5:	4EA8515F972553020A96A0221CFEBFA9
SHA1:	316B5BA513891CEA7D0A8848DCF30DDB852013C1
SHA-256:	8CB592235E3BC0DF74F58F8E95177763BA866A8E1192F2E50D040E8D2E24D314
SHA-512:	5666CFEA9185F33EEE523D27EBB6BE6E8ACB8B0FE620AEF9E70B903FD9E4C8EFD8E4AF97D15FCCCCCE37402569C5951F696C195EEE35E38E1CBA20BB4F5528BF
Malicious:	false
Preview:	<__CACHE__>..<__TRACE_LEVEL__>0</__TRACE_LEVEL__>..<__GUI_REMEMBER_PASSWORD__>true</__GUI_REMEMBER_PASSWORD__>..<__GUI_SERVER_ADDRESS__>support.lockwoodbroadcast.com</__GUI_SERVER_ADDRESS__>..<__GUI_EMAIL_ADDRESS__></__GUI_EMAIL_ADDRESS__>..<__GUI_PASSWORD__></__GUI_PASSWORD__>..<__GUI_NAME__></__GUI_NAME__>..<__GUI_IMAGE_QUALITY__>4</__GUI_IMAGE_QUALITY__>..<__GUI_UserPresetAutologin__>false</__GUI_UserPresetAutologin__>..<__GUI_MEETING_TYPE_SELECTION__>0</__GUI_MEETING_TYPE_SELECTION__>..<__GUI_ABOUT_URL__></__GUI_ABOUT_URL__>..<__PASSWORD_ASSISTANCE_URL__></__PASSWORD_ASSISTANCE_URL__>..<__DEPLOYED_FOR_PARTNER__>N</__DEPLOYED_FOR_PARTNER__>..<__DISABLE_POWERED_BY__>Y</__DISABLE_POWERED_BY__>..<__LOGIN_TITLE__>DataObject.ServiceCompany.login_title.Username</__LOGIN_TITLE__>..<__PROMOTION_URL__></__PROMOTION_URL__>..<__MEETING_PRIVILEGE__>65535</__MEETING_PRIVILEGE__>..<__ABOUT_URL__>http://www.rhubcom.com</__ABOUT_URL__>..<__PUBLISHER__>RHUB Communications, Inc.</__PUBLISHER__>..<__C

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\ClientDatabase

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	data
Category:	dropped
Size (bytes):	9216
Entropy (8bit):	2.198346257931369
Encrypted:	false
SSDEEP:	24:F+vdfet1NDbTBR2cXovYePne99KLzaRYJLHYLTYLSC3vDCeKLvd/9ziqeKLjpztl:ydfK2NY2IkfmrCp8YI3
MD5:	180D45BE65098DA1E2D0F72795581C5D
SHA1:	B4B90F594BF1B1A0603D28A6342CC2052BB010C8
SHA-256:	C8A22EE90C0E0DB5877FD047EA957452D827A077C5A823C2FF6A0A3E6D421A52
SHA-512:	F65A2667A5DBAEE134C7B744E60B9A442A72AE6EAD97501180DA0E1B058FE5F33864D9B91DAF2057C205DB46276AD4B15D8F8D4AF131C0C9B1A2EB5A90E32B01
Malicious:	false
Preview:	GEX}`q4r.....T44.....@ .........................................................................9......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml

Download File

Process:	C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	736
Entropy (8bit):	4.513279028548777
Encrypted:	false
SSDEEP:	12:bytbNeFS9GgAGkv5kxv5Mh7oxunsifnrNodoh3Tx3BpxUBQrlmortZUgn:bC30xoqhu6VrUohlxDpb1n
MD5:	123758BC7261FD214AD5E454A829656D
SHA1:	9C661C902118488DFF2B5E29A5182CE63C8A3A77
SHA-256:	3957EDDA90CDFE0FF751F563CBD3C864F3541A9D67E505108478904216577ABE
SHA-512:	ABD8A13FBFDE33088C84399190BEA9BE73AF1AF1921A8A4111675FC1683E0D6BC20013D04EBA0899E68292B24D54BD2DEFA6457433681D98D39B4412F6DC5102
Malicious:	false
Preview:	<__Configure__>..<__CLIENT_NETWORK_DEVICE__>eth0</__CLIENT_NETWORK_DEVICE__>..<__CLIENT_WIRELESS_NETWORK_DEVICE__>wlan0</__CLIENT_WIRELESS_NETWORK_DEVICE__>..<__CLIENT_HARDWARE_MODEL__>X86_CLIENT</__CLIENT_HARDWARE_MODEL__>..<__CLIENT_PRODUCT_MEETNG_PRIVILIGE__>2147483647</__CLIENT_PRODUCT_MEETNG_PRIVILIGE__>..<__CLIENT_PRODUCT_TYPE__>0</__CLIENT_PRODUCT_TYPE__>..<__CLIENT_PLATFORM__></__CLIENT_PLATFORM__>..<__CLIENT_SERIAL_NUMBER__>0</__CLIENT_SERIAL_NUMBER__>..<__CLIENT_PRODUCT_MODEL__></__CLIENT_PRODUCT_MODEL__>..<__CLIENT_PRODUCT_RESOLUTION__>720</__CLIENT_PRODUCT_RESOLUTION__>..<__CLIENT_NAME__>TurboMeeting</__CLIENT_NAME__>..<__CLIENT_KEY__></__CLIENT_KEY__>..<__CLIENT_SUB_TYPE__>1</__CLIENT_SUB_TYPE__>..</__Configure__>

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420902.dll

Download File

Process:	C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	113400
Entropy (8bit):	6.717039641153143
Encrypted:	false
SSDEEP:	1536:rBZE+BiaIZbzwd3xHqouKOvjFC5siqiF2Cml9wsW5cdYP0ipZnlBpV2q73hG8:rfPBevwdBHqouK2OF2fxYPhpZnlBpVQ8
MD5:	DFC9A458625B2095D18A17FF37EEDE74
SHA1:	7B397E54EB28167DBA481B0AE6A64D8B72A24DCA
SHA-256:	AE13B7B55095775805A2A2D0AB8DD224678B1F08556252431107A9F3AA3A0FF3
SHA-512:	6B027EA5AE8BF21ACEC150D9B56C9FA8579E2F3BF357F17BF3ED08E9D2C37C3D194FDB4207A04D9B3E2FE700A6660AD28B9655E40764A78951EC312878660C92
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........M..AM..AM..A.,>AG..A.,<A;..A.,=AU..A...@Q..A...@B..A...@_..AD.\AH..AM..A,..A...@O..A...@L..A..0AL..A...@L..ARichM..A................PE..L.....Z`...........!......................................................................@.........................`u......Hv..<........................6......,....m..T............................n..@...............<............................text...+........................... ..`.rdata..`m.......n..................@..@.data................f..............@....HookSha.............n..............@....rsrc................p..............@..@.reloc..,............r..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420903.dll

Download File

Process:	C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	113400
Entropy (8bit):	6.717039641153143
Encrypted:	false
SSDEEP:	1536:rBZE+BiaIZbzwd3xHqouKOvjFC5siqiF2Cml9wsW5cdYP0ipZnlBpV2q73hG8:rfPBevwdBHqouK2OF2fxYPhpZnlBpVQ8
MD5:	DFC9A458625B2095D18A17FF37EEDE74
SHA1:	7B397E54EB28167DBA481B0AE6A64D8B72A24DCA
SHA-256:	AE13B7B55095775805A2A2D0AB8DD224678B1F08556252431107A9F3AA3A0FF3
SHA-512:	6B027EA5AE8BF21ACEC150D9B56C9FA8579E2F3BF357F17BF3ED08E9D2C37C3D194FDB4207A04D9B3E2FE700A6660AD28B9655E40764A78951EC312878660C92
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........M..AM..AM..A.,>AG..A.,<A;..A.,=AU..A...@Q..A...@B..A...@_..AD.\AH..AM..A,..A...@O..A...@L..A..0AL..A...@L..ARichM..A................PE..L.....Z`...........!......................................................................@.........................`u......Hv..<........................6......,....m..T............................n..@...............<............................text...+........................... ..`.rdata..`m.......n..................@..@.data................f..............@....HookSha.............n..............@....rsrc................p..............@..@.reloc..,............r..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\HookDLL\TM1713420905.dll

Download File

Process:	C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	113400
Entropy (8bit):	6.717039641153143
Encrypted:	false
SSDEEP:	1536:rBZE+BiaIZbzwd3xHqouKOvjFC5siqiF2Cml9wsW5cdYP0ipZnlBpV2q73hG8:rfPBevwdBHqouK2OF2fxYPhpZnlBpVQ8
MD5:	DFC9A458625B2095D18A17FF37EEDE74
SHA1:	7B397E54EB28167DBA481B0AE6A64D8B72A24DCA
SHA-256:	AE13B7B55095775805A2A2D0AB8DD224678B1F08556252431107A9F3AA3A0FF3
SHA-512:	6B027EA5AE8BF21ACEC150D9B56C9FA8579E2F3BF357F17BF3ED08E9D2C37C3D194FDB4207A04D9B3E2FE700A6660AD28B9655E40764A78951EC312878660C92
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........M..AM..AM..A.,>AG..A.,<A;..A.,=AU..A...@Q..A...@B..A...@_..AD.\AH..AM..A,..A...@O..A...@L..A..0AL..A...@L..ARichM..A................PE..L.....Z`...........!......................................................................@.........................`u......Hv..<........................6......,....m..T............................n..@...............<............................text...+........................... ..`.rdata..`m.......n..................@..@.data................f..............@....HookSha.............n..............@....rsrc................p..............@..@.reloc..,............r..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\InstallService.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	233720
Entropy (8bit):	6.298697976196144
Encrypted:	false
SSDEEP:	6144:KSJ0P6jSLEpJ1RZlR4lGitKd50fAOhso6iZGD:66jSLoJp4lGi4jID6iZA
MD5:	CA2C90A15E0B8701A71B28E875865F35
SHA1:	319C1961F05D1D6C31984D141B91B870DC0B1EFA
SHA-256:	7AEECEDC2D37BD3AD549851121CCFED9B9D62285DB474735998C8EA741DCA867
SHA-512:	AC3CB38535A0D48B5EA14EC89868FDF9B5EEA0BBC51ED11D59FF83FC43A5286AA67E7F5896434200CB0C615270DC6A1BA4F901C0CFF6A79FA6A8B9D913872F31
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k.~8.~8.~8..}9.~8..{9p.~8..z9.~8..}9.~8..{9.~8..z9.~8...8.~8..8u.~8_.{9..~8_.8.~8_.\|9.~8Rich.~8........................PE..L.....1`.............................E............@.................................5.....@.................................D...x....................Z...6......@...0...T...............................@............................................text............................... ..`.rdata..............................@..@.data............b..................@..._RDATA.. ....p......................@..@.rsrc................8..............@..@.reloc..@........ ...:..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarter.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	786984
Entropy (8bit):	6.461738695456927
Encrypted:	false
SSDEEP:	12288:8Np51L0Z775xs2qnf8PtVXJSLKlK4pKJe5d0nocsxa3k48118t/HY4EErtkTd2hM:6JL0Z/mnet60yocssl8gY4hkTd2hCM+
MD5:	C28568A1EB37159185590BCCF20F9866
SHA1:	DFE01651DA872470E686C2BE78400C80C98FA450
SHA-256:	ED500E8A0B1260F47EF142B06CF08AF8719D003F227C5EF48DD0166C6456D941
SHA-512:	476324F2E9BA91053145A77D36D26020318EE12F336D056861D9556E989771D134FF65BFA18F5090419DA131B082A711635C0E37592551AF25E0BD0575C14F9C
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......I.A.../.../..././.,..././..././.+.../....../....../....../._.+.../._.,.../.<..)./._..../...+.../....../......./...*.../....../......./...-.../.Rich../.........PE..L.....{_.................z..........3;............@......................................@.....................................@....P..0...............(....@......[..T....................\......H\..@...............`............................text...!x.......z.................. ..`.rdata...s.......t...~..............@..@.data...0,..........................@..._RDATA.. ....@.......t..............@..@.rsrc...0....P.......~..............@..@.reloc......@.......b..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\PCStarterXP.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	785584
Entropy (8bit):	6.4611685242844645
Encrypted:	false
SSDEEP:	12288:YNp51L0Z775xs2qnf8PtVXJSLKlK4pKJe5d0nocsxa3k48118t/HY4EErtkTd2hf:eJL0Z/mnet60yocssl8gY4hkTd2hCMl
MD5:	8CE1DC1E87F955F2529CA7A796AD8820
SHA1:	9A51C28787D5AD0363DC33FCBCEDD3995F855482
SHA-256:	27773D79B0AE6A473909434BF72642C2098B649F4033139BC06C274ADA88E3BE
SHA-512:	D40A82436183802F31E492D2C14CA4B3559EDC24975DD937BBF6A7588F6595C24DD67B417CD109AAEED49DFBA6319AA575047386BC08A859D5DBE8FD7DF75941
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......I.A.../.../..././.,..././..././.+.../....../....../....../._.+.../._.,.../.<..)./._..../...+.../....../......./...*.../....../......./...-.../.Rich../.........PE..L.....{_.................z..........3;............@.................................n.....@.....................................@....P..0....................@......[..T....................\......H\..@...............`............................text...!x.......z.................. ..`.rdata...s.......t...~..............@..@.data...0,..........................@..._RDATA.. ....@.......t..............@..@.rsrc...0....P.......~..............@..@.reloc......@.......b..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\Sss.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	89192
Entropy (8bit):	6.575566498006661
Encrypted:	false
SSDEEP:	1536:3D+xbSVMbhA4oCpgk5czAwxNmO5fkHy3hG:3DavbjslxNmO5fE
MD5:	E0861D6F2836555E2C1E5F223234A9F1
SHA1:	C2F9C1B8EB85722B5EF83E080C78D5E378CB5210
SHA-256:	84F0B260E146D07F0BE5A0C61CABCAEFE5288850A707F073B5EBC8FAAEC408C5
SHA-512:	04F7D3943E49A54D45ABE55EE93DE1772A5C1183A994DB521A9234C0B21D0211CADDB2968B2B3C4E922E50DB328CC4402043FF30B3E9CE5A69A18F6B31347C46
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.d.+...+...+....4w.;....4d......4g.O....4q.&...+...Z....4x.(....4p.....4r....Rich+...........................PE..L...@s.O.....................P......o.............@..........................0.......f............................................... ..............0'..85..............................................@............................................text............................... ..`.rdata..v,.......0..................@..@.data...\|,..........................@....rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMDownloader.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	380152
Entropy (8bit):	6.523803406973679
Encrypted:	false
SSDEEP:	6144:2D5CTBgdxPf1wwbe0HZKfjhsjYwAwzxOl4GYlOhwK09Y+066zNvGC5GJAOktkTBZ:2MTBgdxXKwq0HZKfjhQYwz2iY+azNeCw
MD5:	BA7323CFA2E6B7A11E61E5C8621141CF
SHA1:	BB49041C3257CE0A159C3AA49D0FCFF093A24921
SHA-256:	0C4F996D1AA194951D756DE74514F7A1D03F68270E33F3C7E7B5DCF262885166
SHA-512:	19ABBD2F944BDCFB1770B31537206AD3610BCFE566CA25E23E172C14F17575E04A13C10CD08B8FB202515D43237504A341046E9EB7D34410B07F370DE282BE9A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............iI..iI..iI..jH..iI..lHS.iI..mH..iI.-.I..iI..jH..iI..lH..iI..mH..iI0.mH..iI..hIL.iI...I..iI0.lH..iI0.I..iI0.kH..iIRich..iI........PE..L.....Z`..........................................@..........................`...........@.................................D........ ...................6...0.../......T...............................@...............8............................text............................... ..`.rdata..pV.......X..................@..@.data............h..................@..._RDATA.. ............Z..............@..@.rsrc........ .......d..............@..@.reloc.../...0...0...f..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMInstaller.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	688888
Entropy (8bit):	6.576995195781194
Encrypted:	false
SSDEEP:	12288:UUYb14nVcVw3h4sj2w2QE2uSBlK4bLgyQVW8Xgp1IW6ce+dFqtkTHz+Lqh/:UYnVcV9Y2wFBJF8Xgpm+e+dwkTTJh/
MD5:	8FCA72C59D3A9AA6EDA33C64DAA0296D
SHA1:	5229D88A9E650430719DC5317F8F7601117EF637
SHA-256:	11B64793473C88AA0EF2F9BDE703E9494495029D416E76D954FD3F044EF8FC10
SHA-512:	7D898F74D292C23D8F38A29C2C3D8C2E8F6D610C2CCA5B89B5273222A6E31DB078C266A25C4072533DB4F907BA4F3FC700E020A4E7EBD4FBB4D4EA13D0FAA0A3
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........[^...^...^...J...N...J.......J...H......._...W.L._.......}.......B...o.5.N..........W.K.T.......W...^......W.[.........O.....7._......._...Rich^...........PE..L.....Z`.....................Z......x.............@..........................p......}.....@..................................N..,....................L...6.......l......T...............................@............................................text...3........................... ..`.rdata..8o.......p..................@..@.data....n...p...\|...V..............@..._RDATA.. ...........................@..@.rsrc...............................@..@.reloc...l.......n..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMLauncher.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	688888
Entropy (8bit):	6.576995195781194
Encrypted:	false
SSDEEP:	12288:UUYb14nVcVw3h4sj2w2QE2uSBlK4bLgyQVW8Xgp1IW6ce+dFqtkTHz+Lqh/:UYnVcV9Y2wFBJF8Xgpm+e+dwkTTJh/
MD5:	8FCA72C59D3A9AA6EDA33C64DAA0296D
SHA1:	5229D88A9E650430719DC5317F8F7601117EF637
SHA-256:	11B64793473C88AA0EF2F9BDE703E9494495029D416E76D954FD3F044EF8FC10
SHA-512:	7D898F74D292C23D8F38A29C2C3D8C2E8F6D610C2CCA5B89B5273222A6E31DB078C266A25C4072533DB4F907BA4F3FC700E020A4E7EBD4FBB4D4EA13D0FAA0A3
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........[^...^...^...J...N...J.......J...H......._...W.L._.......}.......B...o.5.N..........W.K.T.......W...^......W.[.........O.....7._......._...Rich^...........PE..L.....Z`.....................Z......x.............@..........................p......}.....@..................................N..,....................L...6.......l......T...............................@............................................text...3........................... ..`.rdata..8o.......p..................@..@.data....n...p...\|...V..............@..._RDATA.. ...........................@..@.rsrc...............................@..@.reloc...l.......n..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMRemover.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	228600
Entropy (8bit):	6.309001563878647
Encrypted:	false
SSDEEP:	6144:MQyEgGJDxpO0ZTXmcANoEEZwBXcAOBXCs9:MQiGJDxpO0ZTXrWcPCm
MD5:	F7A57D58DE9E992509F28477D85EA442
SHA1:	48747FE9CA9D804110462FBEBCC13F4519230443
SHA-256:	B660B3F98E2C45770AF8421E75D7CF7AF71BD7AF8A30EFD4091E75F4D664B2B3
SHA-512:	C12118B16E606CAC969B30462EB0AF501AC7E53A1DFC6BC0635AE3E6C62AA659085DCF19E499F874141CCEBC15245246BCBFA7BA15ECDF5148884A6599B737C8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*.E~D.E~D.E~D.Q.G.J~D.Q.A.~D.Q.@.S~D...G._~D...A.~~D...@.g~D.E~E..~D.L...J~D...A.M~D.....D~D.E~..D~D...F.D~D.RichE~D.........................PE..L.....Z`.............................E............@.......................................@.....................................d....`..p............F...6...p..,...@...T...............................@............................................text............................... ..`.rdata..d...........................@..@.data....y.......d..................@..._RDATA.. ....P......................@..@.rsrc...p....`......."..............@..@.reloc..,....p.......(..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMResource.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	99064
Entropy (8bit):	6.4536950605419445
Encrypted:	false
SSDEEP:	1536:6SlMHB4rjEkU0TzZsURSuu8rsWlcdbbr4ndQeR4Xj3h8bS:6xerjU0TzZQlfbAJDbS
MD5:	DD12C30E38FD57D25CD75B07E679330B
SHA1:	00C725161356A75121A393F8615641DA10EDA4C6
SHA-256:	0C168E4E9AEA222BBCB4EEC3E61FA72B528F7276492FA4BACAE029241B3808EB
SHA-512:	8555D52DEA80903B5333E94697A0A26DBC0A0FAEF5E833C030C1D45D4BD300219193D7124A4B7E8B8E9FEFDC862B1B8433610AC703149ADD39BFBC0B49264160
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w%...K...K...K..}H...K..}N.n.K..}O...K..~N...K..~O...K..~H...K..n...K...J...K.C.N...K.C.K...K.C.....K......K.C.I...K.Rich..K.........PE..L.....Z`...........!.................................................................W....@.................................0...<....@..h'...........L...6...p..........T...........................8...@............................................text...7........................... ..`.rdata..~X.......Z..................@..@.data........ ......................@....rsrc...h'...@...(..................@..@.reloc.......p.......>..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TMService.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	365304
Entropy (8bit):	6.394569981481964
Encrypted:	false
SSDEEP:	6144:L15MyaGTrkrrNsg2OVHdlpIuGeqjPINDerbQ9mErScI0ILd+AOIkTBXvXvi:LjMyaGTrbgJVHdlpIuPqjeDHQd+WkTZK
MD5:	26AC20E2F474AC15E0785770931001C3
SHA1:	2BB6CC026B7766D2BACF71E257836771DD8EA462
SHA-256:	2A8A64EBBFBFFDA40DB3EB7F6DD9EFAB0143818637914B6246FBA81D938FA897
SHA-512:	C8669A17D1F4CE7C49325905FC3632FAA420835C775196B6346252BD3F354B86E96EEECCFD1D654F278111F72F61E038D45944BBE8AF75715C650039434644CF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n..@...@...@...Td..O...Td......Td..V....a.A....g..Z....g..b....g..~....f..F...@.......Iw5.U....f..K....fY.A....f..A...Rich@...........................PE..L...d.Z`.................B...................`....@..........................0......9.....@.................................@........................\...6..............T...............................@............`..........@....................text....A.......B.................. ..`.rdata..<S...`...T...F..............@..@.data...............................@..._RDATA.. ............ ..............@..@.rsrc................*..............@..@.reloc...........0...,..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	113400
Entropy (8bit):	6.717039641153143
Encrypted:	false
SSDEEP:	1536:rBZE+BiaIZbzwd3xHqouKOvjFC5siqiF2Cml9wsW5cdYP0ipZnlBpV2q73hG8:rfPBevwdBHqouK2OF2fxYPhpZnlBpVQ8
MD5:	DFC9A458625B2095D18A17FF37EEDE74
SHA1:	7B397E54EB28167DBA481B0AE6A64D8B72A24DCA
SHA-256:	AE13B7B55095775805A2A2D0AB8DD224678B1F08556252431107A9F3AA3A0FF3
SHA-512:	6B027EA5AE8BF21ACEC150D9B56C9FA8579E2F3BF357F17BF3ED08E9D2C37C3D194FDB4207A04D9B3E2FE700A6660AD28B9655E40764A78951EC312878660C92
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........M..AM..AM..A.,>AG..A.,<A;..A.,=AU..A...@Q..A...@B..A...@_..AD.\AH..AM..A,..A...@O..A...@L..A..0AL..A...@L..ARichM..A................PE..L.....Z`...........!......................................................................@.........................`u......Hv..<........................6......,....m..T............................n..@...............<............................text...+........................... ..`.rdata..`m.......n..................@..@.data................f..............@....HookSha.............n..............@....rsrc................p..............@..@.reloc..,............r..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18097912
Entropy (8bit):	6.861983414670908
Encrypted:	false
SSDEEP:	393216:vpxpeembSbs3WKtQ3qitDvUgGxbt9pJFFZm/C:YembH5tMqpgGxbt9pB
MD5:	D973EE70262ADF0A3D8AC412964517F9
SHA1:	5EFF4B9800B66D63213162E7BB009928F86DDBFD
SHA-256:	BD69CC4974617A01D2759AAB58CDDE4AF9199B8102E325178C2AE043E6783E28
SHA-512:	931152E6FE92E58F22EAB65CC693C69736238333078BFEDD294E2D7A547EA6A0179281DB37395C52558A09DEFE48E35AB927539D2A425D0B2587B15FACB271C7
Malicious:	true
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$..........W......................7..........]S/................................W...T.......`.......................l..............{......k.......&.....f.........C.....f.......f.......f...............f.......Rich....................PE..L.....Z`.....................xk.....l.X...... ....@...........................*..........@.................................<.............&..............6...p".4H.. ...T...................t.......8I..@............ ..h...P...`....................text............................. ..`.rodata.@.......................... ..`.rdata..d.$.. ....$.................@..@.data....U...@......................@..._RDATA..............................@..@.rsrc.....&.......&.................@..@.reloc..4H...p"..J..................@..B................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\accessory_status.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	111
Entropy (8bit):	3.8883890193690394
Encrypted:	false
SSDEEP:	3:oG22qM6sSkZ8g22qM6sSkxZ926kmm26XsriQgm6kmm26XsriM:XHSaHSQsU3g2U5
MD5:	6A8CE1982E0DD43B41C7F1D67382AE9D
SHA1:	9347BF3EB2A583C1FCAB57E2D4094F36E9BBB225
SHA-256:	2CB2CE581DC4EC484E2F4A16C91B68E7C3D403999A33FC4B67B03D9D903CB0DD
SHA-512:	FD4E7D713BE5101DD1A3C95565DD640252D90AD7D345CFF193D6E38C7ED236EA39A4CBB75BCE39B11E5E5B0FE368DF8772ED1D3895A8B49007C24710EEB18B9F
Malicious:	false
Preview:	<__ACCESSORY_INSTALLED__>N</__ACCESSORY_INSTALLED__>..<__SERVER_ACCESS_SETTING1__></__SERVER_ACCESS_SETTING1__>

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dbghelp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1229112
Entropy (8bit):	6.534748097696273
Encrypted:	false
SSDEEP:	24576:Z5iAmT4V1XZv3lY0XdaqaYxzxYjievUibP4:t6sc2zxYWLh
MD5:	CC17AE159E28D331B7EC39A4F34527F2
SHA1:	68BACD3808895DB9987F11B63C857E288E022C17
SHA-256:	4BBAE6B52A99355E7C695D901151513235E5B0BF01FF8D5345580D6529763B78
SHA-512:	A5BC90DACD81C278ED4BB3BF862AF1406B4C704845C3F5BE7F0927D4350DA790B7A9FD98E774DEAF5A5004251C45C558EEDE1F797B842E305FBFB6CE8D4A9DE5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................7.f....7.g....6.d..........6.b....6.f....6.g...6.c....6.z....".....6.`....6.e....Rich...........................PE..L...?.JT...........!.....d...........c.......................................@.......S....@A........................pZ..s....B..P....p..................85......h....<...............................J..@............@.......Z..@....................text....c.......d.................. ..`.data............H...h..............@....idata..f....@......................@..@.didat.......`......................@....rsrc........p......................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_CHI.tmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	98734
Entropy (8bit):	6.213205562122042
Encrypted:	false
SSDEEP:	1536:+JVl8XN4NaW1f4RbY9xf72f6bycIuf/hkBzmoRrHv7jF35Pm:WNaAf2JueR5O
MD5:	E19C646DDC1E5B7AF92280538A863E04
SHA1:	4C87C7FB61DBC211C80A44928E6D121E55BDC929
SHA-256:	4E51C94EED094DC6A0D895366750C80B71F5270A3FC96DD9B8047A85C87D40A7
SHA-512:	CB3D2CB4921EDDC12C49248C54712E503D304F4830DD528F66F45FE986F2C08A49F7C1FF244E470875843DCD99AC0D8B2D1393BF1AA8636435E96171F61401F3
Malicious:	false
Preview:	ItemID.Item.File..PCGUI.PBindToWiFiCameraDialog::OnInitDialog.BindToWiFiCamera...APP...WiFi.....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Message..APP......WiFi.....MAC...__WIFI_CAMERA_MAC_ADDRESS__....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Message..APP......WiFi.....MAC...__WIFI_CAMERA_MAC_ADDRESS__....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step1.1.............WiFi....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step2.2.......WiFi........WiFi...SBC_xxx.........11118888.....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step3.3..........PCGUI.PBindToWiFiCameraDialog::OnInitDialog.StartToBind........PCGUI.PBindToWiFiCameraDialog::OnInitDialog.WiFiCameraBindFailedMessage..APP.......................WiFi....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Chang

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_CHIT.tmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	98737
Entropy (8bit):	6.215204537239651
Encrypted:	false
SSDEEP:	1536:2UTro5Z6TEq4scziYJT5zObw/+6BflWS+zgqmIWbdKh7lBn1Mzhq/z:2/OEZNiQJ//YSQBWEB1MNyz
MD5:	B34E838E74870B3094DA1DB18FEC92EA
SHA1:	4414DC5F71FACCED09700C12769E61674574ACC7
SHA-256:	3C34B2B116B9017826EB48CF6A6F44EC134FC36F07AD9171B233AC2DC0BFDF34
SHA-512:	F2B81CB346AC3E5296B497FF2E86FC2A12B0875DA8FABA4F6488DAE7AE8720FD86BC50B4DA00E6B17ADF05385A7546E420CAE662A843870B68DB8F7649CA1AC4
Malicious:	false
Preview:	.ItemID.Item.File..PCGUI.PBindToWiFiCameraDialog::OnInitDialog.BindToWiFiCamera...APP...WiFi.....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Message..APP......WiFi.....MAC...__WIFI_CAMERA_MAC_ADDRESS__....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Message..APP......WiFi.....MAC...__WIFI_CAMERA_MAC_ADDRESS__....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step1.1.............WiFi....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step2.2.......WiFi........WiFi...SBC_xxx.........11118888.....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step3.3..........PCGUI.PBindToWiFiCameraDialog::OnInitDialog.StartToBind........PCGUI.PBindToWiFiCameraDialog::OnInitDialog.WiFiCameraBindFailedMessage..APP.......................WiFi....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Ch

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_DTH.tmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	Unicode text, UTF-8 text, with very long lines (548), with CRLF line terminators
Category:	dropped
Size (bytes):	100703
Entropy (8bit):	5.124902678296755
Encrypted:	false
SSDEEP:	1536:+Wb9wI5cfMI/1caAp3PNlYJbNW4fryglWFTNNP1cAZJeYt:+AXBfNNLpt
MD5:	FFC94815BCC52593E591F1DB945DA142
SHA1:	09FD651AD0316F616374809EE23548ACAAB8E0E6
SHA-256:	85A9060D5370A433A147483EA8CD5129D6B77D3FC6C85861BE43E51C83FBB082
SHA-512:	1CC917DE72F7900BAA6E56CF7984EDCC0A9122B77C7C9FC05507D86F87A82827EAED9B58385075CBA9EB6C9E18E7CF44F5339F6F616BD0985F607EF80FB4E7BB
Malicious:	false
Preview:	ItemID.Item.File..IOSGUI.SharingWindowController::CreateScreenStreamingView.StopScreenSharing.Scherm delen stoppen...IOSGUI.SharingWindowController::CreateScreenStreamingView.ScreenSharingHeader.U deelt het scherm...IOSGUI.AppDelegate::UseBluetoothAudioDevice.BluetoothConnectionError.Maak verbinding met een Bluetooth-apparaat en probeer het opnieuw...UserObject.*.new_meeting_flooded.Er worden te veel nieuwe vergaderingen gemaakt. Gebruik geplande permanente vergaderingen om nieuwe vergaderings-ID's te verminderen....PCGUI.PColorLevelSettingDialog::OnInitDialog.ViewerCanRequestToPresent.Sta kijkers toe om te vragen om hun bureaublad te presenteren...GUI::EmailInvitation.OneTapDial.Met ..n tik op de knop...PCGUI.PhysicalGUI::StopReconnecting.StopReconnectMessage.Je verbinding met de sessie is niet stabiel. Kies een ander netwerk (bijv. Bekabelde verbinding), mobiel apparaat of computer. Doe dan opnieuw mee aan de sessie....MyLogSink::OnLogMessage.StopPhoneCall.De audio-apparaten worden

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_ENG.tmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	Unicode text, UTF-8 text, with very long lines (549), with CRLF line terminators
Category:	dropped
Size (bytes):	100929
Entropy (8bit):	5.147580502649148
Encrypted:	false
SSDEEP:	1536:ia4RZIsFlmecKeJYPXI6QhI4LIskWWP1A8/qLb21sakNAEsKq:idpl+KWUUK1KAEsKq
MD5:	822E31DFDFCB95A50B6D28DF87608CD6
SHA1:	9C811ADE35B8F0B7C4B6F69861755539499F10F4
SHA-256:	4A1F173B90493324698E29F089D829D0F6FAAAA728405EBFF602D86D72B77BA6
SHA-512:	A37824FEEC7C3CA968E2DE2C36D213E662C1063D624534E1C420E8F3AD03C0285B6674858C8D6E5C0B7F6D74515F9E21FD01BBCC1E67BFD843F200C568FBCA4E
Malicious:	false
Preview:	ItemID.Item.File..PCGUI.PBindToWiFiCameraDialog::OnInitDialog.BindMessage.Steps to bind this App to a WiFi camera...PCGUI.PBindToWiFiCameraDialog::OnInitDialog.ChangeMessage.You can change the binding by the steps below...PCGUI.PBindToWiFiCameraDialog::OnInitDialog.RemoveBinding.Remove binding...PCGUI.PBindToWiFiCameraDialog::OnInitDialog.ChangeBinding.Change binding...PCGUI.PBindToWiFiCameraDialog::OnInitDialog.WiFiCameraBindFailedMessage.The App failed to bind to the camera. Check if this mobile device has connected with the camera.s WiFi....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.StartToBind.Start to bind...PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step3.3. Click the binding button...PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step2.2. Go to your mobile WiFi settings. Select the camera's WiFi name "SBC_xxx" and input password "11118888"....PCGUI.PBindToWiFiCameraDialog::OnInitDialog.Step1.1. Power on the camera and start the camera's WiFi....PCGUI.PBindToWiFiCameraDialog::On

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_FRE.tmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	Unicode text, UTF-8 text, with very long lines (640), with CRLF line terminators
Category:	dropped
Size (bytes):	110287
Entropy (8bit):	5.212768658752966
Encrypted:	false
SSDEEP:	3072:B91DfrgmvCPrPalKTebn+Hphc2C0OK5nOL4:B91DfrgmvCzPalKTebnkPc2C0OK5nO0
MD5:	9F9EFFC7E14CFEF695D97BA63D261341
SHA1:	15B649B698ACD53963E3442348EBC729A04B857C
SHA-256:	6F773A3B38D8CE1F077A53655F221559BF36F0A2E5611723167028DE759FB45A
SHA-512:	96193D061C8C92AED1124CF4577A1242A5B0ED4A45176CDBB22486277FC1B9E88896A825C5135C05014ECDF0A1659ECAB079E877F3C9B003CC8588793810FD41
Malicious:	false
Preview:	ItemID.Item.File..IOSGUI.SharingWindowController::CreateScreenStreamingView.StopScreenSharing.Arr.ter le partage d'.cran...IOSGUI.SharingWindowController::CreateScreenStreamingView.ScreenSharingHeader.Vous partagez l'.cran...IOSGUI.AppDelegate::UseBluetoothAudioDevice.BluetoothConnectionError.Veuillez vous connecter . un appareil Bluetooth et r.essayer...UserObject.*.new_meeting_flooded.Trop de nouvelles r.unions sont cr..es. Veuillez utiliser les r.unions permanentes planifi.es pour r.duire les nouveaux ID de r.union....PCGUI.PColorLevelSettingDialog::OnInitDialog.ViewerCanRequestToPresent.Autoriser les spectateurs . demander . pr.senter leur bureau...GUI::EmailInvitation.OneTapDial.Une touche de num.rotation...PCGUI.PhysicalGUI::StopReconnecting.StopReconnectMessage.Votre connexion . la session n'est pas stable. Veuillez choisir un autre r.seau (par exemple, une connexion filaire), un appareil mobile ou un ordinateur. Rejoignez ensuite la session....MyLogSink::OnLog

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_GER.tmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	Unicode text, UTF-8 text, with very long lines (554), with CRLF line terminators
Category:	dropped
Size (bytes):	106207
Entropy (8bit):	5.183805880890507
Encrypted:	false
SSDEEP:	1536:aJjLa8C/+uYoh4kVzmosbCsYJYT8T1BN4UO4m5Bz2JvIxh7tGTvpc:wINVP+OJWhM6
MD5:	9AD8EDBE48A03EA9F026A63D1950F59C
SHA1:	D4CFB9555DDA08DC2582B18C54CED31282F7602E
SHA-256:	326816125FA54D4A09723807EF47884241B3513E8A52F42CAD66AC177E040A6D
SHA-512:	E358C2B7A9827D14A8DED104F79A613C765042A016073FE166E40BBD0500EC0D129169180FA3F3745635378DBF4F9E7903F812B2EE9C8A713A9EBAF3F9211CFE
Malicious:	false
Preview:	ItemID.Item.File..IOSGUI.SharingWindowController::CreateScreenStreamingView.StopScreenSharing.Beenden Sie die Bildschirmfreigabe...IOSGUI.SharingWindowController::CreateScreenStreamingView.ScreenSharingHeader.Sie teilen den Bildschirm...IOSGUI.AppDelegate::UseBluetoothAudioDevice.BluetoothConnectionError.Stellen Sie eine Verbindung zu einem Bluetooth-Ger.t her und versuchen Sie es erneut...UserObject.*.new_meeting_flooded.Es werden zu viele neue Besprechungen erstellt. Verwenden Sie geplante permanente Besprechungen, um neue Besprechungs-IDs zu reduzieren....PCGUI.PhysicalGUI::StopReconnecting.StopReconnectMessage.Su conexi.n a la sesi.n no es estable. Elija una red diferente (p. Ej., Conexi.n por cable), dispositivo m.vil o computadora. Luego vuelve a la sesi.n....PCGUI.PColorLevelSettingDialog::OnInitDialog.ViewerCanRequestToPresent.Erm.glichen Sie den Zuschauern, die Pr.sentation ihres Desktops anzufordern...GUI::EmailInvitation.OneTapDial.Ein Fingertipp...MyLogSink::OnLogMe

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_ITA.tmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	Unicode text, UTF-8 text, with very long lines (545), with CRLF line terminators
Category:	dropped
Size (bytes):	106960
Entropy (8bit):	5.094814632767334
Encrypted:	false
SSDEEP:	1536:xyuuPyyX/7kfVZNyPBqYV7jRRHXkRX4lKSFHEkYcvdRKU33LQ:JY/gNyPBqMdvdsUHLQ
MD5:	555BA58246B88D60247B6C9D6FA9106F
SHA1:	B040E9A84618FBD0340755C500F92CE9E692A0A8
SHA-256:	FC60DF878A62C597BF669F24178E1AEB73D619F15385CAC798A654120141012C
SHA-512:	921AA1946E07ECBEDD00A0AD2D58442820C17FE310FE1F6D0CA6F464A773F7EA6EFF64E315D319E79F9644ADAC66B65D6F02A147A941A5F1F9C05580C7034C21
Malicious:	false
Preview:	ItemID.Item.File..IOSGUI.SharingWindowController::CreateScreenStreamingView.ScreenSharingHeader.Stai condividendo lo schermo...IOSGUI.SharingWindowController::CreateScreenStreamingView.StopScreenSharing.Ferma la condivisione dello schermo...IOSGUI.AppDelegate::UseBluetoothAudioDevice.BluetoothConnectionError.Connettiti a un dispositivo Bluetooth e riprova...UserObject.*.new_meeting_flooded.Sono state create troppe nuove riunioni. Utilizzare riunioni permanenti programmate per ridurre i nuovi ID riunione....PCGUI.PColorLevelSettingDialog::OnInitDialog.ViewerCanRequestToPresent.Consenti agli utenti di richiedere di presentare il proprio desktop...GUI::EmailInvitation.OneTapDial.Quadrante con un tocco...PCGUI.PhysicalGUI::StopReconnecting.StopReconnectMessage.La tua connessione alla sessione non . stabile. Scegli una rete diversa (ad es. Connessione cablata), dispositivo mobile o computer. Quindi riconnettiti alla sessione....MyLogSink::OnLogMessage.StopPhoneCall.I dispositivi audio veng

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_JPN.tmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	Unicode text, UTF-8 text, with very long lines (317), with CRLF line terminators
Category:	dropped
Size (bytes):	115144
Entropy (8bit):	6.00340553785929
Encrypted:	false
SSDEEP:	1536:YzqVDx79PZLoxGAr36wb2cY/1w2E4i91sG9z1aknzGBp:Y7w6RNc
MD5:	F8FA38EBCA233B3B805311979EC31646
SHA1:	850778B2F3949D28C858534720E4CD1E154786F9
SHA-256:	E45D81061CF6ED74405D4EBF3BC530489F6A780B84DF510894F8B0A8D4D8A89E
SHA-512:	C72C9A783E34DB019FD4FBB251018B215D2157FDDC70D273E76C3E5B59AA836097ED22CC341093BECCE8C367B89F03503F636D93070AC4C2988A738E6D5C5917
Malicious:	false
Preview:	ItemID.Item.File..IOSGUI.SharingWindowController::CreateScreenStreamingView.ScreenSharingHeader..............IOSGUI.SharingWindowController::CreateScreenStreamingView.StopScreenSharing...........IOSGUI.AppDelegate::UseBluetoothAudioDevice.BluetoothConnectionError.Bluetooth..........................UserObject.*.new_meeting_flooded.................. .....ID.................................PCGUI.PColorLevelSettingDialog::OnInitDialog.ViewerCanRequestToPresent............................GUI::EmailInvitation.OneTapDial.............PCGUI.PhysicalGUI::StopReconnecting.StopReconnectMessage.................... ...................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_PRT.tmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	Unicode text, UTF-8 text, with very long lines (371), with CRLF line terminators
Category:	dropped
Size (bytes):	111713
Entropy (8bit):	5.192325235869865
Encrypted:	false
SSDEEP:	1536:bW+KreYBSzy/PYiMinpCLmQnPHYKhGcVQwfujuAbjyftfJBiW/nv2hY3:a+KyzoP3MiuHPEna0m
MD5:	6A3E7509311BE81CC2FFCAD1B697F3BD
SHA1:	E24348698A2F8E316D017A47903683B08B7EC9CB
SHA-256:	5A92A07D17108EA6D852108731A2F7CB92F610AD485505D7F8F02BAFF5F5184F
SHA-512:	8ACD6DDD22FC65E7745691E27CA811885C7F9C760191BEBCC9108269745B5A284FF5D6B884E3E45C662FE2D9392EF2A6AD46DE4A73E28C70409CC58FB45539E1
Malicious:	false
Preview:	ItemID.Item.File..IOSGUI.SharingWindowController::CreateScreenStreamingView.ScreenSharingHeader.Voc. est. compartilhando a tela...IOSGUI.SharingWindowController::CreateScreenStreamingView.StopScreenSharing.Interromper o compartilhamento de tela...IOSGUI.AppDelegate::UseBluetoothAudioDevice.BluetoothConnectionError.Conecte-se a um dispositivo Bluetooth e tente novamente...UserObject.*.new_meeting_flooded.Muitas reuni.es novas s.o criadas. Use reuni.es permanentes agendadas para reduzir os novos IDs de reuni.o....PCGUI.PColorLevelSettingDialog::OnInitDialog.ViewerCanRequestToPresent.Permitir que os espectadores solicitem a apresenta..o de sua .rea de trabalho...GUI::EmailInvitation.OneTapDial.Marca..o com um toque...PCGUI.PhysicalGUI::StopReconnecting.StopReconnectMessage.Sua conex.o com a sess.o n.o . est.vel. Escolha uma rede diferente (por exemplo, conex.o com fio), dispositivo m.vel ou computador. Em seguida, volte . sess.o....MyLogSink::OnLogMessage.StopPhoneCall

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_SPA.tmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	Unicode text, UTF-8 text, with very long lines (616), with CRLF, CR line terminators
Category:	dropped
Size (bytes):	106752
Entropy (8bit):	5.170056613944853
Encrypted:	false
SSDEEP:	1536:Q7fLnQkna9+AEKjKsbC85Yzg13U6J+Jtr2FphWz9Brw5Mv:QLa4HkdwDw5Mv
MD5:	59F4A43B89E599128DA95F68C6C93C5E
SHA1:	5DE54065488D0417EC2C655F156FC6EDC173ECB4
SHA-256:	B27C22AC64E6D231AE4C17CB93E0A889D376F24EA44864AC15349C7F70C94910
SHA-512:	A016029C5A9288755C96793FDBECFC2663FFC3B6C3E6DB28B9A786D52458D8B9B4500FB923D1D58CA282EC92D1430DC550D368D664E8EE3F7BACABFBE4434D5A
Malicious:	false
Preview:	ItemID.Item.File..IOSGUI.SharingWindowController::CreateScreenStreamingView.ScreenSharingHeader.Est.s compartiendo pantalla...IOSGUI.SharingWindowController::CreateScreenStreamingView.StopScreenSharing.Dejar de compartir pantalla...IOSGUI.AppDelegate::UseBluetoothAudioDevice.BluetoothConnectionError.Bluetooth..........................UserObject.*.new_meeting_flooded.Se crean demasiadas reuniones nuevas. Utilice las reuniones permanentes programadas para reducir las nuevas identificaciones de reuni.n....PCGUI.PColorLevelSettingDialog::OnInitDialog.ViewerCanRequestToPresent.Permitir que los espectadores soliciten presentar su escritorio...GUI::EmailInvitation.OneTapDial.Dial de un toque...PCGUI.PhysicalGUI::StopReconnecting.StopReconnectMessage.Su conexi.n a la sesi.n no es estable. Elija una red diferente (p. Ej., Conexi.n por cable), dispositivo m.vil o computadora. Luego vuelve a la sesi.n....MyLogSink::OnLogMessage.StopPhoneCall.La

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\dictionary_client_TUR.tmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	Unicode text, UTF-8 text, with very long lines (555), with CRLF line terminators
Category:	dropped
Size (bytes):	68108
Entropy (8bit):	5.415653899818446
Encrypted:	false
SSDEEP:	1536:yNpOdmNoOlqF6sVw9uue4XE/ZIwSzpx06:CpOdmNY6v8uE/SwS166
MD5:	01E157ED08E05ED80052AD8DF404B530
SHA1:	FD6229C6410350C30D5B7907DB42C521FC3EDB62
SHA-256:	295A963CCE972904ACF33153C7CAF731027A36B5B8F5249EAAFC5B5D03012D67
SHA-512:	1EEE1112B12FB3FEAC86F9555AF20AB1A16EBF0FDDE09004D4A294603B4BC9A15105B6453BB31B2741998BA781527B339F5174D04B7FA3792172035C20582F0A
Malicious:	false
Preview:	ItemID.Item.File..EmailInvitation::CreateEmailMessage.TipsWireless..PUCU : Ekran tazelemesinin yava.lamas.n.n ve kesilmelerin .nlenmesi i.in telsiz ba.lant.lardan ka..n.n....EmailInvitation::CreateEmailMessage.TipsHeadset.Mikrofon ve hoperl.r.n.z. kullanmak i.in kulakl.k gereklidir (VoIP)....EmailInvitation::CreateEmailMessage.OptionalNumbers..ste.e Ba.l. Numaralar...PCGUI.PAttendeeListDialog::OnRightClickAttendeeList.MoveToTheTop..ste git...PCGUI.PAttendeeListDialog::OnRightClickAttendeeList.ShowInShortList.K.sa Listede G.sterim...PCGUI.PAttendeeListDialog::OnRightClickAttendeeList.ChatTo.Sohbet mesaj. g.nderimi...PCGUI.PAttendeeListDialog::OnInitDialog.ParticipantList.Kat.l.mc. Listesi...PCGUI.PHostMeetingDialog::DisplayAlertMessage.WebinarAlertMessage.Kat.l.mc.lar VoIP kullanamazlar....PCGUI.PAttendeeControlDialog::OnInitDialog.RaiseHand.S.z alma iste.i...PCGUI.PAttendeeControlDialog::OnInitDialog.LowerHand.S.z alma iptali...PCGUI.PHostControlDialo

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\ApplicationIcon.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	MS Windows icon resource - 6 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
Category:	dropped
Size (bytes):	22486
Entropy (8bit):	3.442256410134587
Encrypted:	false
SSDEEP:	384:AD/IIsIIED9mDKzj8gmUf+SJHgIIsIIzCvA2TDv:oIIsIIJgmUf+ugIIsIIzCvlTDv
MD5:	883746CDA8ECF40EF07D2F26A687E550
SHA1:	88D8D8D7676AE4890C06ACED19212122BE59F44E
SHA-256:	4435E5C62BE3B529D5E2100B5F1F57EDCC2BE82281601313BC8594E52C445D66
SHA-512:	A8CA2E91AAC490EAEEEEEEAF21F9DE64FC1E24A5D690790BEC09E694A3738F12FB4FCADEA799FC54F9D4B766A5C951873F39BB4875E5D58B75243B4E2833F018
Malicious:	false
Preview:	......00..........f... ......................h.......00.... ..%...... .... ......B........ .h...nS..(...0...`.......................................'Z..&W..,f..+c..(]..ff..ff3.fff.ff..ff..f...f.3.f.f.f...f...f...f...f.3.f..f...f...f...f.3.f...f................3...............33...f..3.......f...f3..3f..f...f...3....3...f...................3.f.f..................3...f...................3...f..........3...33..3f..3...3...3...f...f3..ff..f...f...f......3..f................3...f..................3...f...............3...f......3...33..3f..3...3...3...f...f3..ff..f...f...f........3...f...................3...f..............3...f.........ff..f.f.f....ff..f....f.!...___.www.....................................................................................xTk..F..p)..'Z..'Z..'Z..'Z..'Z..'Z..'Z..'Z..'Z..........................................................................xTk..F...(......................................................................'Z..'Z..'Z..'Z..'Z..'Z..'Z..'Z

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\CTMeeting.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	5.268540394824082
Encrypted:	false
SSDEEP:	192:jG8oSNa2uVZZXk6w+tldx2+E5K7sWpK0nqNeSMAo80TxzHOOTvVmASzc:jGSNHuVZjN7a5KIWGo80BBvVlD
MD5:	F366C80B222E8E83D5EC6D90959C2C45
SHA1:	CBEFD8DC9C8E342C6165D0F9C1FCFB177D2E01BE
SHA-256:	8CD38C8E1A62198BEA0BCC85C0B339A835E460ED08A8D8C98BE524B528F07531
SHA-512:	DB1C073C9A7837D8D3D1E3F654C8C95060971130CDD527CDD1365CDFE48CC2BED963FB0D574A4705BA92E2E70102F73795ADF97EDF9EDAAB3EEEFAA03D3E8517
Malicious:	false
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%...............................................................................t.......n.%.s...t...r...r...r...r...r...r...r...r...t...s...p.(.....t.......................................................................................................................s.......p.U.r...n...k...n...o...p...p...p...p...o...n...k...n...s...p.Z.....v...............................................................................................................q.......o.@.r...m...1.....................................3..m...s...o.F.....q.......................................................................................................m...........s...m...A..................................................F..m...s...R.......n...........................................................................o...s...v...t...r...p...p.......p.(.r...r.............U..Q..F..C..C..E..O..T.............s...r...r.,..

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\DummyWebcam.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PNG image data, 64 x 64, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1867
Entropy (8bit):	7.3280619152848905
Encrypted:	false
SSDEEP:	48:0wqQNn2xUJ3fw0ww2sq4fl7OYo8QUDTNVS4XrAK9:kY2L0J2l49yx8FDTJT
MD5:	2CFEED234A8558FAFA50655ACB115FD8
SHA1:	2FFB1A9FE6536723E96AE500554D3ABEED2147FC
SHA-256:	615861E3BE02B7EBCF9378BBFEEFE969B503A11C738DFBD9A6514029205646F9
SHA-512:	DA7E66A2DA8EB2363583A9C055B590385412BB924FC0D0D28D8CBFDE9567DD0AB98019F1EC752B16F590764C1D287AEB583B90458820A3D6A75C43E59C7B6583
Malicious:	false
Preview:	.PNG........IHDR...@...@.....%......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:B17AB45350AD11E5B1EDE5C7D0C88953" xmpMM:DocumentID="xmp.did:B17AB45450AD11E5B1EDE5C7D0C88953"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B17AB45150AD11E5B1EDE5C7D0C88953" stRef:documentID="xmp.did:B17AB45250AD11E5B1EDE5C7D0C88953"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.......IDATx..[O.@..[Z.P...(r.K@.$....#b..xb F..".x.D.:.r..t..0&....C.u.........eS~.~.~.LJ..K.Ng4........n......T*

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\IMDefault.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PNG image data, 56 x 56, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2927
Entropy (8bit):	7.901864294096541
Encrypted:	false
SSDEEP:	48:z/AblbrVP517clW9u74PZi5QTsp+9MbP6f8/2X5vZHUcYFye:z/A5bxj7cQ9u7yZ8QTP9KT2XHdYFye
MD5:	6E8F635F6528CC0433861A8DFB0C2D30
SHA1:	E85EC2E9154D1B12835E0590ED00C22A49E3A6DB
SHA-256:	A8CC2B4C182384537CAD5E091DFF777F6806E77EED0E5800B96C573E4FBC1A00
SHA-512:	12F54F49FDDF6857A840608ED070822C7491D6C15B56F6F5A024C27A28264ED1525FAB4D57F9716D49C284BBF24A677A46F8F084BFBBF485D0F62D11B5CBC725
Malicious:	false
Preview:	.PNG........IHDR...8...8.......;....6IDATx...S.w.....d..k....KQL...n..2..../....51.A.a....1....<y...L.E..W.=....w..W..Dd._$..$.DF%...1.K.y9I..[.xzaK..:.1..X".G$.[../...:l..?..V......K.T.v7...O.T8.8.Z...5Y.....V$..+.\|4.P.........@...HR!....+.AS.xZ.9r.... ......#...73M....6...P3U.K.....[q....0.......f.j>Y. b....n...T..=...(b.......M.wf.v.q.py@0.....eb.$S..D.9Ys...i.}...K9...i..=u.R..$=..S..B...'Ss..r...~3.QIf.....M5..l.p:.....r.Yz.B..........{....S..F>..c9..L....7.....r.;....b(..d~I.^....U[..}R..H]S.x.[.>..5.f....k...^9...}^~yU..q..F$._.y..S1L;..i(.c..H...R....ni.? M.}...%.Mm.9R...o../.@.T{}.._...R.Q\|XU....3.9.y.q.KC.....T.Z$.}@j.....Y..@.B..{.X.......&.j........,=_WSE.;o...D...x&$..?.0...n.O5...B..`\|.wk.....#..Mj.7G...+4.v. G....{.~....$G...D.....+{.......m]2xs...vE..r#.=........i. .J..k@..L...FM...=....2.tF.............).....+.........[S/M..r..y.M....R...o...)I..2=....^M..-...Dk.MN..........q.P<!.......\....V.A..@.......0S.....D....}.....%+.

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\MXmeeting.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	3.7348281735284137
Encrypted:	false
SSDEEP:	96:jvVmqKjOvFd0+uYDkY4RkQWyt9aKdk/o3H4VGr1fSLzeIBvCWV2auhbfgX:j9mqdT0HVt9aKdDSLl6kBbX
MD5:	E7D9E81AFA9CB104E0FE70EE9DABCB6B
SHA1:	FA2D7DF277CD730BAD0786F5BA92D3E5D777403B
SHA-256:	A04E701256B583F226CE290D979B19D51A6EA4C5A94341E4E35DB1CA94DDC6E8
SHA-512:	1FDE7F4C1387FBE304ACBD1EA2479A89306AC90BDF72C6C5AB88B92C44183DFBF7F01729B23C112D77AB7378D4FB007EB2343B50974436C84D69E51C11656A72
Malicious:	false
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\ProfileInfoDialogBackground.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 98 x 24, image size 394, resolution 2834 x 2834 px/m, cbSize 448, bits offset 54
Category:	dropped
Size (bytes):	448
Entropy (8bit):	4.671818727412439
Encrypted:	false
SSDEEP:	6:7AldcJ6RqNJp743UTxdhTbVld5RH2IQhTnTfJrf9K9LPpPip2DGZOGGu9uDUEnQi:7ASgyH2TnTfVwHZXGGuYgQQI5VSQtL
MD5:	A8A6EF427C5C0EDE5C70AF58AA5680DE
SHA1:	127365EAF32CEE2BA7A958E766FDCCAD0E3C50C6
SHA-256:	1D3F66E964CD9BFF854A550D5ACBB55B2C2027C05CEB7A9396A691B1C9D8C6C2
SHA-512:	C2EC78255EC33AF2AE799972AA275C8FA3378D56092B480C4F39105CB5978983C16B97C33E94CCB5D76886340EEA116B08C207A1D593945B7F600ED7C8751E41
Malicious:	false
Preview:	BM........6...(.......b.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\Separator1.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PNG image data, 266 x 9, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	715
Entropy (8bit):	7.529061088532927
Encrypted:	false
SSDEEP:	12:6v/7dZXLr+yakAkKVlTMtHQOXSL8OW8Nv9XBnzvN3RH/F4ibFLRrcawCajNuk9:gZ3hankqlg1SLR9DnzN3B/FXbFhcawC8
MD5:	B7CCD0351EB77445E7323F2BB74788FD
SHA1:	E0525DA70A851E6DC72D57DD9064F16B949C2A26
SHA-256:	8BAA0FEAF55D59C0929419101BDAB9EA326348F13DE8B68EDFB710076F0C3F78
SHA-512:	34015ECA33A939E74481334A55DB4731D2777B4975E4BCDD648A8DF1CEA80E2C65E93047A5D9C22C681D1CA417CCED190C65E58E8099B740CA669DC9BF829579
Malicious:	false
Preview:	.PNG........IHDR..............(b.....gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...]IDATx..mo. .......q.T....$i.HS.`l........-.n.}...{.:.>".q...&.i".y}[...y..?&.&..b-.;.x.6....hp.}.v..N..:........+.>...h3........."V......W9.q)..gC1G.w..?+....h....0@QBW....w?.5...y..$.{...s`.."z.+.N.E...3..'.3....q}.....@...D...J>.l"...U<.9....(.."+T+..-..l.m..f...4^....:..K.=....0.......U.+....}d0a.)."E...{&L&.x....Ag...2....+.j.Eo..T....Z{..j.eW.....qa.#....t.X.L..e.*;]../...:BA\|..N....@,.X..u\|^..t..p.`..@%.Q.....N.....8.W..H@a..y...Q)..Kf..!...:.K......{`...O-.;. +B;./[..g8.....n....w..x.6<A.;b.r.........d?.a7._..W..pA...~..=a...].uw!....y...b.\|..\|.b..M..?..{.=u..0..nD.........IEND.B`.

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\SeperatorLine.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PNG image data, 260 x 1, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	132
Entropy (8bit):	5.413824965565243
Encrypted:	false
SSDEEP:	3:yionv//thPkYtS1clSl0tRthwkBDsTBZtzdatFcEoXa/ljp:6v/lhPkYtS1Rl0znDspzWTAa/Vp
MD5:	4CE28B32C7836663CE74B29F11D176A7
SHA1:	608EBF86C32394E609ACB091E5FEFCB0AF4B9D39
SHA-256:	4199A78439525D778CF91FA5DEFE0C68320B3E51B3EB9C7672939DD4B2F33E50
SHA-512:	E5DF9C12F74A92898A78702935C454CA0314997D7BA36B89126BBF177FD652B5DFECFE8C3687A117D60810FCDB0BCC91ABCDEF7F19B6C4FFB8725F793CC1BD02
Malicious:	false
Preview:	.PNG........IHDR...............GZ....gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx.b.w...(...... ...!..S.L.....IEND.B`.

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\TurboMeetingWatermark.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PNG image data, 274 x 312, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	15525
Entropy (8bit):	7.955817620038244
Encrypted:	false
SSDEEP:	384:md1Xn6jtWIg9t84o4cSmkLjWKmVQWMVwIp8VNP+6YLET2:m3XnLIYt84/KaiRQsImP+gT2
MD5:	C939AF5F23D396F55808E95668C73C18
SHA1:	3E8767C4FCB16767E6E04A34A9B81B74C061E411
SHA-256:	B128C15EA8BB492570E441F2BD3F81D1A481C75997AE107A1D9E830C98067FD9
SHA-512:	BE5D99BEDEB70C53B127BCED885C704C1E7E42634B64A5DE9E4B9138CB91C14C5D774CE27742118E6549D7F562AD5DAFD1395AB02BFB7E04B431F18FDCE16B7C
Malicious:	false
Preview:	.PNG........IHDR.......8.......L.....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:B337DD93A04411E3A7E0B3415030DDAB" xmpMM:DocumentID="xmp.did:B337DD94A04411E3A7E0B3415030DDAB"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B337DD91A04411E3A7E0B3415030DDAB" stRef:documentID="xmp.did:B337DD92A04411E3A7E0B3415030DDAB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>{.....9.IDATx.b...?..p..Y.......@..@&....@9h.bv(.L.ALTp.2..H.P.P;d..S.4...a.li....1.8.L.5..Zp5..=. ..x...@n....D.t..

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\image\Ymeetee.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	3.908826625397295
Encrypted:	false
SSDEEP:	96:jxp0LXMk1/Au7paUVdD+we1RoeeBniFQ+0TxKtp4+3r/+4sR1sXsXsrEI8kT:jLu8cN5dDxerMQEGp4+3q4sHsXsXsrB
MD5:	E20ADBD0C131A94E99FDE12E0C60D247
SHA1:	EE5EB66E8945EC49A178D739834D448350C1080D
SHA-256:	9473FE1FE2D941DB548F70E716DD8ED841DBAC60C02C71A5CE6BA760872DC69A
SHA-512:	E204339033903140FF0765F38F35DAEFD15C4D336D2C2595A04A481E9104CFC96892FCF9621EA4745E5DDB0F57D9A5641422EFF6C03324842ADAC91A61BEB5E4
Malicious:	false
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......%...............................C...=...V6&.gG^.oR..qT..pT..qT..pT..pT..qT..qT..pT..qT..qT..qT..pT..qT..pT..qT..qT..qT..pT..qT..qT..qT..pT..qT..qT..qT..qT..qT..pT..pT..pT..pT..qT..pQ..kKk.\96.L)..V0...................y..V...[6..rT.....................................................................................................................................................\|a..[;3d....Q2.........Y5..^<*..k....................................................................................................................................................................cDN...hH..eF..W6...h............................................................................................................................................................................`<6.[7..`B..jJn............................................................zZ..T,..U,..U,..U,..U,..U,..U,..U,..U,..U,..U,..T+..e@...............

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\jsproxy.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	25904
Entropy (8bit):	6.967116392745186
Encrypted:	false
SSDEEP:	384:0XganKwtsIS1KgKy/FEvUzoGJk0cOrQDEUcWTyl5nYPLOdGfZiTUdGfZL8JN77hp:0XgQtd6KgKCU3O7uiTHA3hDl
MD5:	7BCD58DF45A40F865E8DBBCB5B2EF6D1
SHA1:	6B8C19C6521CE5E4C8C81F5A59552F3714B15E17
SHA-256:	F8CDAC83B1512B6BCFABC616F3865BF11C049E59E4A2C8B5D5D4F031332D83D8
SHA-512:	DEAA3F5CA55D53EB398328F6910E86AB4E95A5E8B37FD67EE6FBD21C1CA8E747D09544D7A54A01815864C2CEBD376AA5ED34313C21B7235D31450F996C84CA39
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.....X...X...X9?.X...X.>.X...X.?.X...X...X...X.?.X...Xt?.X...X9?.X...X...X...X.?.X...XRich...X........PE..L....n=...........!.....&...................@....oq.........................p......@................................2......./.......P...............0..05...`..p....................................................................................text....$.......&.................. ..`.data........@......................@....rsrc........P.....................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1909
Entropy (8bit):	5.116245132023822
Encrypted:	false
SSDEEP:	48:0TK1j1rAalFwzKLdErOCZm9I+BOaknxNVbZKcKWUaP1aPyfl:qK1j1rAalFwzKL6OyYceyd
MD5:	64EE134763F8A59FA41575B54B4C9799
SHA1:	3047D89F40E4B5BD14A300BA0C8E11A9DF403EA3
SHA-256:	6CA7946C4805C3705E6D588455D21131376E94960EDED7FDBBD5DACEB48A916B
SHA-512:	E2438809048CC375554292A693C50D5CCED59B5BCC555996454233DCD0CC16CAD48C43889697C289A8CBEB0A324DD587B8AE5921A6F149091C93236A99BDB392
Malicious:	false
Preview:	<__SetupDirectory__>C:\Users\user\AppData\Local\Temp\tm_starter_dir</__SetupDirectory__>..<__SetupFile__>C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe</__SetupFile__>..<__SetupFileName__>SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe</__SetupFileName__>..<__SetupConfigureFile__>C:\Users\user\Desktop\starter.cfg</__SetupConfigureFile__>..<__AccountServerIP__>support.lockwoodbroadcast.com</__AccountServerIP__>..<__AccountServerPort__>443</__AccountServerPort__>..<__MeetingPassword__></__MeetingPassword__>..<__MeetingId__></__MeetingId__>..<__Role__>attendee</__Role__>..<__Version__>3.0.639</__Version__>..<__Publisher__>RHUB Communications, Inc.</__Publisher__>..<__AboutURL__>http://www.rhubcom.com</__AboutURL__>..<__AttendeeName__></__AttendeeName__>..<__AttendeeEmail__></__AttendeeEmail__>..<__Email__></__Email__>..<__UserPassword__></__UserPassword__>..<__PassThrough__></__PassThrough__>..<__ClientName__>TurboMeeting</__ClientName__>.

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\setup_status.txt

Download File

Process:	C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	54
Entropy (8bit):	4.0232250020833416
Encrypted:	false
SSDEEP:	3:qDlmBBvcylmBBvb:1Gb
MD5:	B906A32DDF38251C7EBEAC7D2D70884E
SHA1:	525C320D456A4B4F000D8BA2E20F400E708EAD7E
SHA-256:	615720C8D5AFE51DB35F015B86E68340E73A9E93C6E74A6E5CF23E1081FDA896
SHA-512:	1A835B7F6AE282C81E6B0C4576CAD0558B90FF3A488BA74C70C74BE7D365B99F1B063167319630F96E7BBAEED4EDD4591861B735EA8243A4689FD83DAA478064
Malicious:	false
Preview:	<__ClientCalledToLaunch__>N</__ClientCalledToLaunch__>

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\version.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.1182751607709753
Encrypted:	false
SSDEEP:	3:MFW54fQn:MM4fQ
MD5:	8797773BBB9B3585F186FC2684A48F6C
SHA1:	460A68B60688E4AC8A169B5A972E5A0120A977BC
SHA-256:	18805AD87BD499C00BC4B72EC6B52E9EC1B9087760E1741EA73CD53A92CC839C
SHA-512:	A4F8DA05BE6F56A1A8347C58A439638967C0129B21884B5C7C624059C690FED7CD131FB1988C524F8D209C407725E223B388E984506A27803DC0F2CC24FB1D50
Malicious:	false
Preview:	3.0.639..8.0.2..35232

C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\vistafunc.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91384
Entropy (8bit):	6.590287891967479
Encrypted:	false
SSDEEP:	1536:vtJnUFQOmsbk04O5pVMlhIcfRuu9HsWScdlk6hEKLnm7A3h8P:UKsbL5pVMlmWJlDTLnyP
MD5:	D9F52809F0A87FA85638E08187040545
SHA1:	7A4BAF2DCBA8193AE9209BFF85AF56B18DF9344A
SHA-256:	867B919D932C496BE91FDB3FC0AC489FDFFAE9371463BFC24C844FC7CF63A9E4
SHA-512:	8617F7B992F824294D1B840AA0D04B6C040E3C756907729740CCF56E709CF1509E7A8F79B06901FE944D5DBB5C9EDCF1BFA4C1F166607CD2392EF8B6C81D14C7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........N..c ..c ..c ...#..c ...%.Rc ...$..c ...$..c ...#..c ...%..c .....c ..c!..c ...%..c ... ..c .....c ..."..c .Rich.c .................PE..L.....Z`...........!.........................................................p......@&....@..........................".......#..P....P...................6...`..H.......T...............................@...............,...d"..@....................text...W........................... ..`.rdata...Z.......\..................@..@.data........0......................@....rsrc........P......................@..@.reloc..H....`......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\TurboMeeting.lnk

Download File

Process:	C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Apr 18 03:25:36 2024, mtime=Thu Apr 18 05:15:05 2024, atime=Thu Apr 18 03:25:31 2024, length=18097912, window=hide
Category:	dropped
Size (bytes):	2241
Entropy (8bit):	3.719570557661557
Encrypted:	false
SSDEEP:	24:8zK229iPUlSdPKJg0ALAQtLMMgpoLMLIESoLMxLkW9AMyycMxLAIJcJtm:8zK22sRFD8psfkWTrlJcJt
MD5:	259B1F2BAD6893F1CD725CA9D8DEB2E3
SHA1:	11483D70A466F08E1CE3B584B21EC9E59994F6E2
SHA-256:	CCD2F69A37791DD4353581109F88F26A44F37E107203FA91109F1C41A005A0A1
SHA-512:	8D211F74B0468F075B32A42B5F4D1EF3893C1933E512F0B00021739CB1EDEB0FFD641454C0D76945399784DEF47D73ABB33263E019978A9ED71C4904A6F5625D
Malicious:	false
Preview:	L..................F.@.. ....T(vH.....z.W...$..rH....&......................F.:..DG..Yr?.D..U..k0.&...&......Qg._...h..hH....6J.W.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.X.1..........................3N.A.p.p.D.a.t.a...B.V.1......X2#..Roaming.@......EW.=.X.1..............................R.o.a.m.i.n.g.....b.1......X.1..TURBOM~1..J......X2#.X.1..........................O:..T.u.r.b.o.M.e.e.t.i.n.g.....b.1......X.1..TURBOM~1..J......X2#.X.1............................$.T.u.r.b.o.M.e.e.t.i.n.g.....n.2..&...X0# .TURBOM~1.EXE..R......X3#.X.1...........................br.T.u.r.b.o.M.e.e.t.i.n.g...e.x.e.......\|...............-.......{............[.......C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe....T.u.r.b.o.M.e.e.t.i.n.g.=.....\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.T.u.r.b.o.M.e.e.t.i.n.g.\.T.u.r.b.o.M.e.e.t.i.n.g.\.T.u.r.b.o.M.e.e.t.i.n.g...e.x.e.<.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.4610364170823695
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
File size:	790'064 bytes
MD5:	8745c960022bcefff65c91a47374a169
SHA1:	e503dd1b85b17ba61e468890d11f3259e9437b72
SHA256:	8fd4a4dcbe8b649c8c8cec213352c6da213caaefffc76450efee498e51f63cda
SHA512:	c55e03d0a7ae03972f0dd5e9ef0873b196ecc988571f322d315e748c0fe06d0011ae17c7b7bf21c13f71ad97ec8cc40eafadba7f1d3d0e6e2cadca0fff22e75a
SSDEEP:	12288:QNp51L0Z775xs2qnf8PtVXJSLKlK4pKJe5d0nocsxa3k48118t/HY4EErtkTd2h9:WJL0Z/mnet60yocssl8gY4hkTd2hCM
TLSH:	E9F49E1275D1C072C2732130AAB9EB7156ADFC324A354687B3883A696F742F26E34777
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......I.A.../.../..././.,..././...././.+.../......./......./......./._.+.../._.,.../.<...)./._..../...+.../......./......./...*.../

File Icon


Icon Hash:	0ccc694d4d688c4d

Static PE Info

General

Entrypoint:	0x443b33
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F7B900E [Mon Oct 5 21:28:46 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	213e0a4928f644955b6c40c3acf835d6

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	24/08/2018 02:00:00 18/08/2021 14:00:00
Subject Chain	CN="RHUB Communications, Inc.", O="RHUB Communications, Inc.", L=San Jose, S=California, C=US, SERIALNUMBER=C2724413, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	C904612B1CF52E1055AA7446D74528C2
Thumbprint SHA-1:	A720B7BF5F5AD71A08905396879B6B620E770593
Thumbprint SHA-256:	8E1426B03264CA3D6C48FD76AAC4011C4F2EEFCD653C6EAB04F4CEA74C10A502
Serial:	05CB860E41A7845345518D869C89A5F6

Entrypoint Preview

Instruction
call 00007F65CC7FB376h
jmp 00007F65CC7FA23Fh
call 00007F65CC7FA404h
push 00000000h
call 00007F65CC7FA5E8h
pop ecx
test al, al
je 00007F65CC7FA3D0h
push 00443C70h
call 00007F65CC7FA792h
pop ecx
xor eax, eax
ret
push 00000007h
call 00007F65CC7FB401h
int3
push ebp
mov ebp, esp
mov eax, dword ptr [004A6C44h]
and eax, 1Fh
push 00000020h
pop ecx
sub ecx, eax
mov eax, dword ptr [ebp+08h]
ror eax, cl
xor eax, dword ptr [004A6C44h]
pop ebp
ret
push ebp
mov ebp, esp
push FFFFFFFFh
push 00476C7Ch
mov eax, dword ptr fs:[00000000h]
push eax
push ebx
push esi
push edi
mov eax, dword ptr [004A6C44h]
xor eax, ebp
push eax
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
push 00000FA0h
push 004AFB04h
call dword ptr [0047937Ch]
push 004844F0h
call dword ptr [004792DCh]
mov esi, eax
test esi, esi
jne 00007F65CC7FA3D7h
push 0047C92Ch
call dword ptr [004792DCh]
mov esi, eax
test esi, esi
je 00007F65CC7FA452h
push 00484534h
push esi
call dword ptr [00479340h]
push 00484550h
push esi
mov ebx, eax
call dword ptr [00479340h]
push 0048456Ch

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9dcac	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb5000	0xe230	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xbe400	0x2a30	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc4000	0x81d4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x95bf0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x95ce8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x95c48	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x79000	0x760	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x77821	0x77a00	e8d7927fc43751d5b762ceb11803c226	False	0.5324949386102403	data	6.651399701305167	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x79000	0x273f2	0x27400	b4b8a9b8d56765a829e28e8cb38aab2e	False	0.4553269307324841	DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 128.000000, slope 69177951903790594523136.000000	5.596195970312029	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa1000	0x12c30	0x8200	2fe776589c1b28f976dfdcc6d67d96ca	False	0.12926682692307692	data	2.1641265224289206	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0xb4000	0x920	0xa00	49bef94705afd51096e5fd4207b8d82c	False	0.555078125	data	5.482571152101737	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xb5000	0xe230	0xe400	8484c4b0bf553fbd0ac5c98baf9c1046	False	0.23864103618421054	data	4.184187592933368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc4000	0x81d4	0x8200	c2f4f1ab89ac4bb34beed7905db49b69	False	0.6444110576923077	data	6.654015445973796	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xbfbe8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4805194805194805
RT_CURSOR	0xbfd20	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	English	United States	0.7
RT_CURSOR	0xbfe00	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.36363636363636365
RT_CURSOR	0xbff50	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.35714285714285715
RT_CURSOR	0xc00a0	0x134	data	English	United States	0.37337662337662336
RT_CURSOR	0xc01f0	0x134	data	English	United States	0.37662337662337664
RT_CURSOR	0xc0340	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0xc0490	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.37662337662337664
RT_CURSOR	0xc05e0	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0xc0730	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0xc0880	0x134	data	English	United States	0.44155844155844154
RT_CURSOR	0xc09d0	0x134	data	English	United States	0.4155844155844156
RT_CURSOR	0xc0b20	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.5422077922077922
RT_CURSOR	0xc0c70	0x134	data	English	United States	0.2662337662337662
RT_CURSOR	0xc0dc0	0x134	data	English	United States	0.2824675324675325
RT_CURSOR	0xc0f10	0x134	data	English	United States	0.3246753246753247
RT_BITMAP	0xc1180	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	English	United States	0.44565217391304346
RT_BITMAP	0xc1238	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	English	United States	0.37962962962962965
RT_ICON	0xb5cc0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.08453757225433527
RT_ICON	0xb6228	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.09972924187725632
RT_ICON	0xb6ad0	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4608	English	United States	0.08691819464033851
RT_ICON	0xb8128	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4288381742738589
RT_ICON	0xba6e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.16151452282157677
RT_ICON	0xbcca8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.1983402489626556
RT_ICON	0xbf268	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088, resolution 2835 x 2835 px/m	English	United States	0.22606382978723405
RT_DIALOG	0xbf6e8	0x206	data	English	United States	0.5308880308880309
RT_DIALOG	0xc1060	0xe8	data	English	United States	0.6336206896551724
RT_DIALOG	0xc1148	0x34	data	English	United States	0.9038461538461539
RT_STRING	0xc1380	0x82	StarOffice Gallery theme p, 536899072 objects, 1st n	English	United States	0.7153846153846154
RT_STRING	0xc1408	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0xc1438	0x184	data	English	United States	0.48711340206185566
RT_STRING	0xc15c0	0x4ee	data	English	United States	0.375594294770206
RT_STRING	0xc1e40	0x264	data	English	United States	0.3333333333333333
RT_STRING	0xc1b60	0x2da	data	English	United States	0.3698630136986301
RT_STRING	0xc2888	0x8a	data	English	United States	0.6594202898550725
RT_STRING	0xc1ab0	0xac	data	English	United States	0.45348837209302323
RT_STRING	0xc2778	0xde	data	English	United States	0.536036036036036
RT_STRING	0xc20a8	0x4a8	data	English	United States	0.3221476510067114
RT_STRING	0xc2550	0x228	data	English	United States	0.4003623188405797
RT_STRING	0xc2858	0x2c	data	English	United States	0.5227272727272727
RT_STRING	0xc2918	0x53e	data	English	United States	0.2965722801788376
RT_GROUP_CURSOR	0xbfdd8	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0294117647058822
RT_GROUP_CURSOR	0xc05c8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xbff38	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xc0478	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xc0328	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xc0c58	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xc01d8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xc0868	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xc0088	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xc0718	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xc09b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xc0b08	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xc0da8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xc0ef8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xc1048	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0xb80f8	0x30	data	English	United States	0.8958333333333334
RT_GROUP_ICON	0xbf6d0	0x14	data	English	United States	1.25
RT_GROUP_ICON	0xba6d0	0x14	data	English	United States	1.25
RT_GROUP_ICON	0xbcc90	0x14	data	English	United States	1.25
RT_GROUP_ICON	0xbf250	0x14	data	English	United States	1.25
RT_VERSION	0xbf8f0	0x2f8	data	English	United States	0.4513157894736842
RT_MANIFEST	0xc2e58	0x3d1	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (917), with CRLF line terminators	English	United States	0.4687819856704197

Imports

DLL	Import
KERNEL32.dll	GetVolumeInformationW, LockFile, ReadFile, SetEndOfFile, UnlockFile, DuplicateHandle, GetThreadLocale, SetErrorMode, GetFileAttributesExW, GetFileSizeEx, GetTickCount, GetUserDefaultLCID, UnhandledExceptionFilter, IsProcessorFeaturePresent, GetSystemTimeAsFileTime, InitializeSListHead, GetStartupInfoW, GetFullPathNameW, FlushFileBuffers, GetCurrentDirectoryW, SwitchToThread, LCMapStringW, GetStringTypeW, GetCPInfo, RtlUnwind, ExitProcess, GetModuleHandleExW, VirtualProtect, ExitThread, FreeLibraryAndExitThread, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, GetCommandLineA, GetCommandLineW, HeapQueryInformation, VirtualAlloc, GetStdHandle, IsValidLocale, EnumSystemLocalesW, GetConsoleCP, GetConsoleMode, SetStdHandle, ReadConsoleW, SetFilePointerEx, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetLocaleInfoW, GlobalFlags, LocalReAlloc, LocalAlloc, GlobalHandle, GlobalReAlloc, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, MulDiv, LocalFree, GlobalUnlock, WritePrivateProfileStringW, GetPrivateProfileStringW, GetPrivateProfileIntW, lstrcmpA, GlobalLock, CompareStringW, GlobalFindAtomW, GlobalAddAtomW, WriteConsoleW, DeleteFileA, GetTempPathA, lstrcmpW, GlobalDeleteAtom, LoadLibraryA, FindResourceW, SizeofResource, LockResource, LoadResource, LoadLibraryExW, FreeResource, GetSystemDirectoryW, EncodePointer, GetModuleHandleA, SetLastError, OutputDebugStringA, GetACP, lstrlenW, lstrcpyW, lstrcmpiW, FileTimeToDosDateTime, FreeLibrary, VirtualQuery, GetCurrentThreadId, OutputDebugStringW, IsDebuggerPresent, WriteFile, SetFilePointer, GetFileTime, GetFileSize, FileTimeToLocalFileTime, CreateMutexW, ReleaseMutex, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, GlobalFree, GlobalAlloc, GetModuleHandleW, GetSystemTime, GetSystemInfo, CreateProcessW, GetCurrentThread, TerminateProcess, QueryPerformanceFrequency, QueryPerformanceCounter, RemoveDirectoryW, GetLongPathNameW, FindNextFileW, FindFirstFileW, FindClose, WideCharToMultiByte, MultiByteToWideChar, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, SetThreadPriority, CreateEventW, SetEvent, GetTempPathW, CopyFileW, FormatMessageW, LoadLibraryW, GetProcAddress, GetVersionExW, OpenProcess, GetCurrentProcessId, GetCurrentProcess, Sleep, WaitForSingleObject, CloseHandle, SetFileAttributesW, GetFileAttributesW, DeleteFileW, CreateFileW, CreateDirectoryW, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetLastError, SetUnhandledExceptionFilter, RaiseException, GetProcessHeap, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, CreateThread, DecodePointer, GetTempFileNameA
USER32.dll	MapDialogRect, SetWindowContextHelpId, SetCursor, GetCursorPos, TranslateMessage, WinHelpW, CallNextHookEx, SetWindowsHookExW, GetLastActivePopup, GetTopWindow, GetClassLongW, SetWindowLongW, PtInRect, EqualRect, MapWindowPoints, ScreenToClient, AdjustWindowRectEx, GetWindowTextLengthW, RemovePropW, GetPropW, SetPropW, GetScrollPos, RedrawWindow, ValidateRect, EndPaint, BeginPaint, SetActiveWindow, UpdateWindow, GetMenuItemCount, GetMenuItemID, GetSubMenu, SetMenu, GetKeyState, SetFocus, GetDlgCtrlID, GetDlgItem, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, DestroyWindow, IsChild, IsMenu, IsWindow, CreateWindowExW, GetClassInfoExW, RegisterClassW, CallWindowProcW, DefWindowProcW, GetMessageTime, GetMessagePos, RegisterWindowMessageW, LoadBitmapW, SetWindowTextW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, EnableMenuItem, CheckMenuItem, GetFocus, UnhookWindowsHookEx, SetRectEmpty, SendDlgItemMessageA, wsprintfW, wvsprintfW, GetMonitorInfoW, MonitorFromWindow, GetSystemMetrics, DrawTextW, DrawTextExW, GrayStringW, TabbedTextOutW, GetWindowDC, MoveWindow, FindWindowW, GetActiveWindow, GetWindow, IsWindowEnabled, GetMenu, GetWindowThreadProcessId, GetClassNameW, MessageBoxW, GetWindowTextW, SetForegroundWindow, GetForegroundWindow, IsIconic, IsWindowVisible, SetWindowPos, ShowWindow, GetIconInfo, CopyImage, DestroyIcon, GetParent, GetWindowLongW, CopyRect, GetSysColor, WindowFromPoint, ClientToScreen, SetWindowRgn, DrawStateW, GetNextDlgTabItem, SetRect, LoadIconW, GetDesktopWindow, OffsetRect, GetWindowRect, GetClientRect, InvalidateRect, ReleaseDC, GetDC, EnableWindow, ReleaseCapture, GetCapture, PostQuitMessage, PeekMessageW, DispatchMessageW, GetMessageW, LoadImageW, GetClassInfoW, UnregisterClassW, IsDialogMessageW, CreateDialogIndirectParamW, EndDialog, IntersectRect, RealChildWindowFromPoint, GetSysColorBrush, LoadCursorW, DestroyMenu, SetTimer, KillTimer, CharUpperW, SetCapture, CharNextW, CopyAcceleratorTableW, InvalidateRgn, IsRectEmpty, GetNextDlgGroupItem, MessageBeep, PostThreadMessageW, RegisterClipboardFormatW, SetMenuItemInfoW, PostMessageW, SendMessageW
GDI32.dll	GetDeviceCaps, SaveDC, ExtSelectClipRgn, SelectObject, SetBkMode, SetMapMode, MoveToEx, TextOutW, RestoreDC, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, OffsetViewportOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, CreateRectRgnIndirect, GetMapMode, GetBkColor, GetTextColor, GetRgnBox, RectVisible, PtVisible, LineTo, GetWindowExtEx, GetViewportExtEx, GetStockObject, GetClipBox, Escape, CreatePen, SetTextColor, SetBkColor, CreateBitmap, GetObjectW, DeleteObject, ExtTextOutW, CreateCompatibleDC, DeleteDC, FrameRgn, CreateSolidBrush, CreateRoundRectRgn
WINSPOOL.DRV	OpenPrinterW, ClosePrinter, DocumentPropertiesW
ADVAPI32.dll	ImpersonateSelf, AdjustTokenPrivileges, RegEnumValueW, RegQueryValueW, RegEnumKeyW, RegDeleteValueW, RegCreateKeyW, RegQueryValueExW, RegOpenKeyExW, GetUserNameW, OpenProcessToken, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid, OpenThreadToken, RegSetValueExW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, LookupPrivilegeValueW
SHELL32.dll	ShellExecuteW, SHGetSpecialFolderPathW, SHGetFolderPathW, SHCreateDirectoryExW, ShellExecuteExW
COMCTL32.dll	_TrackMouseEvent
SHLWAPI.dll	PathFindExtensionW, PathStripPathW, PathIsUNCW, PathStripToRootW, PathFindFileNameW, PathRemoveFileSpecW
ole32.dll	CoTaskMemFree, CoTaskMemAlloc, CLSIDFromProgID, CLSIDFromString, CoCreateGuid, OleUninitialize, OleInitialize, CoInitialize, CoUninitialize, CoGetClassObject, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CreateILockBytesOnHGlobal, CoFreeUnusedLibraries, CoRevokeClassObject, OleFlushClipboard, CoCreateInstance, OleIsCurrentClipboard, CoRegisterMessageFilter
OLEAUT32.dll	VariantCopy, SafeArrayDestroy, VariantTimeToSystemTime, SystemTimeToVariantTime, SysStringLen, OleCreateFontIndirect, SysAllocString, VariantChangeType, VariantClear, VariantInit, SysAllocStringLen, SysFreeString
oledlg.dll	OleUIBusyW
WS2_32.dll	WSALookupServiceNextW, WSAAddressToStringW, gethostbyname, socket, shutdown, WSALookupServiceEnd, getaddrinfo, gethostname, WSALookupServiceBeginW, setsockopt, send, recv, inet_ntoa, inet_addr, htons, connect, closesocket, WSAGetLastError, WSAStartup
OLEACC.dll	CreateStdAccessibleObject, LresultFromObject
WININET.dll	InternetOpenA, InternetConnectA, InternetReadFileExA, HttpSendRequestW, HttpOpenRequestW, InternetReadFile, InternetConnectW, InternetCloseHandle, InternetErrorDlg, InternetOpenW, HttpQueryInfoA, HttpSendRequestA, HttpOpenRequestA, InternetSetOptionA, InternetQueryOptionA, DetectAutoProxyUrl
urlmon.dll	URLDownloadToFileA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 06:25:21.604410887 CEST	49706	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:21.604494095 CEST	443	49706	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:21.604590893 CEST	49706	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:21.615364075 CEST	49706	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:21.615401983 CEST	443	49706	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:22.018399954 CEST	443	49706	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:22.018487930 CEST	49706	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:22.074568033 CEST	49706	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:22.074624062 CEST	443	49706	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:22.075083017 CEST	443	49706	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:22.075167894 CEST	49706	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:22.078850985 CEST	49706	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:22.120153904 CEST	443	49706	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:22.213850021 CEST	443	49706	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:22.213923931 CEST	49706	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:22.213948965 CEST	443	49706	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:22.214010000 CEST	49706	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:22.494931936 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:22.495011091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:22.495089054 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:22.495383024 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:22.495404959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:22.738807917 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:22.738886118 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:22.739345074 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:22.739378929 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:22.741133928 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:22.741146088 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.162071943 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.162105083 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.162169933 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.162201881 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.162203074 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.162241936 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.162276030 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.162300110 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.163696051 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.163744926 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.163789988 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.163803101 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.163829088 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.163845062 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.163944006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.164011002 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.287659883 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.287724018 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.287754059 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.287774086 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.287791014 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.287810087 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.288589954 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.288616896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.288649082 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.288659096 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.288686991 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.288705111 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.291778088 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.291826010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.291841984 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.291847944 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.291873932 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.291914940 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.405832052 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.405956030 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.406009912 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.406047106 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.406080008 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.406101942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.409058094 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.409111023 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.409143925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.409156084 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.409181118 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.409209967 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.409781933 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.409833908 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.409859896 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.409876108 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.409902096 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.409919977 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.409971952 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.410036087 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.429876089 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.429930925 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.429985046 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.429997921 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.430026054 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.430190086 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.430632114 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.430668116 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.430706024 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.430718899 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.430746078 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.430773973 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.450500965 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.450561047 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.450598001 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.450612068 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.450638056 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.450658083 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.451234102 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.451288939 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.451313019 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.451328993 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.451355934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.451400995 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.525186062 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.525335073 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.532032013 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.532085896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.532161951 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.532174110 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.532207966 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.532840014 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.532886982 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.532924891 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.532937050 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.532960892 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.532964945 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.533026934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.533039093 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.533092976 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.552798033 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.552855968 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.552917957 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.552932024 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.552995920 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.553608894 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.553656101 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.553703070 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.553714991 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.553744078 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.553777933 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.573473930 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.573534012 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.573596954 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.573611021 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.573656082 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.573678017 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.574474096 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.574510098 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.574548960 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.574563026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.574590921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.574628115 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.594247103 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.594311953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.594358921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.594371080 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.594402075 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.594422102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.594991922 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.595040083 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.595074892 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.595086098 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.595112085 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.595133066 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.595204115 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.595284939 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.614974976 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.615024090 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.615058899 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.615070105 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.615099907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.615117073 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.615832090 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.615892887 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.615931988 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.615942955 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.615971088 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.615989923 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.616028070 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.616087914 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.635745049 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.635795116 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.635960102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.635972023 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.636032104 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.636641026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.636667013 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.636715889 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.636734009 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.636764050 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.636785984 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.656718016 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.656768084 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.656811953 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.656825066 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.656852961 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.657116890 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.657179117 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.657210112 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.657227039 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.657254934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.657270908 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.657270908 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.657284975 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.657315969 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.657339096 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.678165913 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.678219080 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.678344011 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.678344011 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.678359032 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.678545952 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.678582907 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.678632021 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.678651094 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.678725958 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.678745031 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.699336052 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.699398994 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.699428082 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.699445009 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.699467897 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.699618101 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.699837923 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.699887037 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.699918032 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.699928999 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.699945927 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.699954033 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.699971914 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.699981928 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.700007915 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.700036049 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.720793962 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.720846891 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.720874071 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.720890045 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.720916033 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.720931053 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.721173048 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.721224070 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.721266031 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.721282959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.721311092 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.721335888 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.742141962 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.742186069 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.742228031 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.742234945 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.742263079 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.742281914 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.742611885 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.742645025 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.742676973 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.742683887 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.742712021 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.742741108 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.763446093 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.763485909 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.763526917 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.763531923 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.763703108 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.763703108 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.763950109 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.763978958 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.764025927 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.764034033 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.764054060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.764081001 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.784830093 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.784878969 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.784909964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.784924984 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.785084963 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.785140991 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.785299063 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.785330057 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.785371065 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.785382986 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.785434008 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.785434008 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.806178093 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.806226015 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.806255102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.806269884 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.806294918 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.806313038 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.806478977 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.806526899 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.806555986 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.806559086 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.806571007 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.806591034 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.806607962 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.827471972 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.827531099 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.827564001 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.827574968 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.827729940 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.828062057 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.828093052 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.828120947 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.828120947 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.828136921 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.828177929 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.828198910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.848866940 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.848928928 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.848968029 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.848982096 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.849009991 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.849028111 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.849225998 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.849251032 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.849298000 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.849311113 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.849343061 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.849374056 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.870003939 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.870078087 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.870126963 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.870151997 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.870178938 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.870202065 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.870487928 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.870517969 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.870552063 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.870572090 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.870600939 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.870654106 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.891278028 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.891344070 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.891396046 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.891408920 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.891449928 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.891472101 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.891671896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.891714096 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.891752958 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.891766071 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.891793013 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.891829014 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.912750006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.912812948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.912851095 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.912858963 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.912919998 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.913204908 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.913245916 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.913278103 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.913285017 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.913301945 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.913306952 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.913326979 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.913336039 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.913357019 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.913388968 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.934139967 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.934267044 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.934317112 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.934351921 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.934379101 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.934400082 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.934631109 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.934688091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.934724092 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.934736967 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.934761047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.934782028 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.955372095 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.955432892 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.955466986 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.955478907 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.955502987 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.955519915 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.955837011 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.955930948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.956031084 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.956031084 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.956099033 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.956190109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.976707935 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.976748943 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.976810932 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.976833105 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.976847887 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.976876974 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.977186918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.977230072 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.977269888 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.977338076 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.977353096 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.977380037 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.977401972 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.997972012 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.998054028 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.998090029 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.998120070 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.998147964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.998169899 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.998440981 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.998497009 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.998528004 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.998541117 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:23.998570919 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:23.998589039 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.019284010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.019345999 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.019443035 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.019454956 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.019493103 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.019493103 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.019725084 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.019788027 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.019818068 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.019819021 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.019844055 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.019850969 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.019870996 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.019890070 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.040741920 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.040788889 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.040836096 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.040842056 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.040868998 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.040888071 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.041282892 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.041337013 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.041369915 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.041383982 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.041416883 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.041438103 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.062141895 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.062228918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.062273026 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.062293053 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.062320948 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.062339067 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.062489033 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.062550068 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.062680006 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.062680006 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.062745094 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.062805891 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.083383083 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.083436966 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.083472967 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.083487034 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.083515882 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.083532095 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.083674908 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.083695889 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.083739996 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.083751917 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.083780050 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.083802938 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.104600906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.104654074 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.104680061 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.104696989 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.104715109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.104738951 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.105037928 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.105074883 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.105106115 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.105113029 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.105139971 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.105165958 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.126097918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.126138926 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.126168013 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.126177073 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.126213074 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.126224041 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.126454115 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.126512051 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.126580000 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.126580000 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.126610994 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.126657009 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.147418022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.147607088 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.147669077 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.147747993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.147782087 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.147844076 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.147866964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.147887945 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.147922993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.147943020 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.168829918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.169002056 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.169061899 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.169131041 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.169150114 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.169174910 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.169219017 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.169234991 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.169265985 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.169276953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.169301987 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.169321060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.190165997 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.190207005 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.190279007 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.190284967 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.190323114 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.190342903 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.190541029 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.190563917 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.190598965 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.190606117 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.190634012 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.190663099 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.211262941 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.211317062 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.211364985 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.211376905 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.211401939 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.211426020 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.211755037 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.211779118 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.211817026 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.211828947 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.211860895 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.211893082 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.232975006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.233091116 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.233146906 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.233186960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.233218908 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.233239889 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.233347893 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.233370066 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.233428001 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.233443022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.233469963 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.233500957 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.234811068 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.234864950 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.234898090 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.234908104 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.234950066 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.234966993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.235274076 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.235323906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.235353947 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.235372066 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.235404968 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.235431910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.256211042 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.256258965 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.256290913 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.256298065 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.256342888 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.256577015 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.256613016 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.256650925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.256663084 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.256690979 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.256710052 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.277189970 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.277271032 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.277296066 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.277317047 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.277333975 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.277374983 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.277515888 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.277554989 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.277575016 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.277582884 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.277606010 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.277626038 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.277628899 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.277637959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.277673006 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.298027039 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.298067093 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.298106909 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.298113108 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.298151016 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.298170090 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.298392057 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.298418045 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.298451900 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.298459053 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.298492908 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.298516035 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.318799973 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.318851948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.318882942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.318898916 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.318927050 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.318952084 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.319153070 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.319181919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.319228888 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.319241047 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.319271088 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.319310904 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.339448929 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.339504004 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.339529037 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.339545012 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.339566946 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.339586973 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.339936972 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.339960098 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.340003014 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.340017080 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.340044975 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.340078115 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.360356092 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.360404015 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.360429049 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.360444069 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.360471010 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.360486031 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.360690117 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.360729933 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.360848904 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.360848904 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.360914946 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.360984087 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.381565094 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.381609917 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.381767988 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.381768942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.381776094 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.381819963 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.381993055 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.382030964 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.382064104 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.382072926 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.382098913 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.382132053 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.402895927 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.402966976 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.402992964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.403011084 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.403034925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.403053045 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.403350115 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.403372049 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.403424025 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.403431892 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.403460979 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.403501987 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.424196959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.424314022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.424379110 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.424416065 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.424448013 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.424482107 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.424700022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.424751043 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.424782991 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.424784899 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.424797058 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.424817085 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.424834013 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.445713043 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.445774078 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.445821047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.445833921 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.445868015 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.445888042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.446562052 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.446584940 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.446631908 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.446647882 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.446675062 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.446696997 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.467174053 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.467283010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.467402935 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.467402935 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.467442989 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.467488050 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.467510939 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.467520952 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.467540979 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.467567921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.467586994 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.467612028 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.488254070 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.488327026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.488384008 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.488406897 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.488452911 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.488452911 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.488774061 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.488826036 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.488854885 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.488873005 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.488898993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.488939047 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.488949060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.488979101 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.489005089 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.489034891 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.509124994 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.509258986 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.509290934 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.509376049 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.509531021 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.509571075 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.509603024 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.509618044 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.509630919 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.509666920 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.529834986 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.530002117 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.530062914 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.530136108 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.530150890 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.530174971 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.530215979 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.530232906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.530265093 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.530276060 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.530307055 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.530329943 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.550445080 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.550499916 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.550561905 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.550570965 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.550605059 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.550626993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.550725937 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.550762892 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.550791979 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.550801039 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.550828934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.550852060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.571774006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.571841955 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.571891069 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.571917057 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.571935892 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.571948051 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.571993113 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.591717005 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.591778994 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.591849089 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.591860056 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.591881990 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.591906071 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.592053890 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.592099905 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.592128992 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.592135906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.592149973 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.592160940 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.592189074 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.592195034 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.592210054 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.592250109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.612330914 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.612407923 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.612541914 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.612560034 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.612608910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.612847090 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.612890959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.612921000 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.612935066 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.612941027 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.612967014 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.612996101 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.633553028 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.633599997 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.633661985 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.633668900 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.633696079 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.633714914 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.633959055 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.633991003 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.634030104 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.634037971 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.634071112 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.634102106 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.654830933 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.654875040 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.654903889 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.654910088 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.654932976 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.654956102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.655332088 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.655370951 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.655399084 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.655406952 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.655421972 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.655457973 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.675856113 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.675904036 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.675941944 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.675947905 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.675967932 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.675991058 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.676233053 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.676273108 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.676316023 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.676326036 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.676338911 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.676377058 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.697164059 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.697201967 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.697233915 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.697241068 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.697287083 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.697314978 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.697576046 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.697613001 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.697643042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.697648048 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.697659969 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.697673082 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.697709084 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.697715998 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.697757959 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.718400002 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.718452930 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.718470097 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.718521118 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.718527079 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.718573093 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.719048023 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.719073057 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.719108105 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.719115019 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.719153881 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.739799023 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.739849091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.739901066 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.739906073 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.739933968 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.739957094 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.740226030 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.740267992 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.740299940 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.740309000 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.740343094 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.740359068 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.761233091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.761286974 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.761307001 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.761317968 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.761348009 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.761362076 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.761632919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.761657000 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.761706114 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.761713982 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.761739016 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.761770964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.782540083 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.782583952 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.782660007 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.782669067 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.782700062 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.782700062 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.782991886 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.783016920 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.783071041 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.783081055 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.783103943 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.783126116 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.803802013 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.803848028 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.803891897 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.803900003 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.804054976 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.804054976 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.804227114 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.804265022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.804295063 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.804300070 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.804311037 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.804332018 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.804352999 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.804358959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.804400921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.825294018 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.825339079 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.825375080 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.825382948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.825413942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.825436115 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.825629950 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.825670004 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.825700998 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.825706959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.825736046 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.825758934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.825778961 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.825826883 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.846661091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.846707106 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.846863985 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.846870899 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.846930027 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.847054958 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.847101927 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.847136021 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.847150087 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.847155094 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.847172022 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.847194910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.867990017 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.868035078 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.868069887 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.868076086 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.868113995 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.868134022 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.868308067 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.868345976 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.868381023 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.868391037 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.868465900 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.868465900 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.889336109 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.889391899 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.889439106 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.889457941 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.889470100 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.889508009 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.889812946 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.889856100 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.889882088 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.889888048 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.889899015 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.889915943 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.889944077 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.889949083 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.889997959 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.910605907 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.910657883 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.910689116 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.910701036 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.910725117 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.910742044 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.910948992 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.910996914 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.911020994 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.911029100 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.911051989 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.911092043 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.931870937 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.931909084 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.931938887 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.931945086 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.931979895 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.931997061 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.932255983 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.932293892 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.932326078 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.932343960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.932363033 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.932389021 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.953357935 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.953408957 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.953442097 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.953453064 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.953480005 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.953505039 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.953696012 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.953736067 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.953779936 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.953793049 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.953818083 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.953852892 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.974627018 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.974678040 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.974725008 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.974736929 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.974764109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.974802017 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.975025892 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.975064993 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.975105047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.975117922 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.975146055 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.975183964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.995887041 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.995944023 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.995968103 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.995985985 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.996011972 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.996031046 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.996259928 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.996306896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.996332884 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.996350050 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.996376991 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.996390104 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.996416092 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.996426105 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:24.996452093 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:24.996471882 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.017297029 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.017350912 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.017399073 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.017410040 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.017446995 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.017462969 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.017724991 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.017779112 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.017846107 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.017847061 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.017863035 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.017924070 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.038568020 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.038624048 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.038674116 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.038683891 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.038710117 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.038728952 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.039009094 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.039038897 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.039078951 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.039092064 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.039117098 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.039153099 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.059931040 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.059988022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.060030937 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.060041904 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.060074091 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.060089111 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.060396910 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.060441971 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.060471058 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.060472965 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.060489893 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.060512066 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.060529947 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.081020117 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.081079006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.081111908 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.081130028 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.081157923 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.081267118 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.081538916 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.081577063 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.081619024 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.081633091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.081659079 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.081680059 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.101758957 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.101809025 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.101855993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.101871967 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.101897955 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.101914883 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.102148056 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.102186918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.102242947 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.102255106 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.102293968 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.102308989 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.122292995 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.122473001 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.122534990 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.122606993 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.122634888 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.122653961 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.122688055 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.122703075 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.122730970 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.122740984 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.122764111 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.122807026 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.142827988 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.143019915 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.143095970 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.143135071 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.143179893 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.143193007 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.143203020 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.143208981 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.143279076 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.163238049 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.163335085 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.163374901 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.163413048 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.163440943 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.163460970 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.163621902 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.163659096 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.163697958 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.163713932 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.163742065 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.163758993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.183677912 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.183862925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.183923006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.184012890 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.184056997 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.184098005 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.184129000 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.184146881 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.184180975 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.184201002 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.204153061 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.204292059 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.204353094 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.204441071 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.204581976 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.204621077 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.204673052 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.204690933 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.204722881 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.204742908 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.224859953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.224901915 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.224966049 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.224972963 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.225012064 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.225012064 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.225117922 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.225157976 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.225182056 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.225192070 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.225222111 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.225251913 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.245304108 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.245356083 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.245409012 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.245419979 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.245456934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.245496988 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.245699883 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.245749950 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.245793104 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.245805025 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.245834112 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.245881081 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.265892029 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.265934944 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.266007900 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.266017914 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.266043901 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.266077995 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.266315937 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.266364098 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.266410112 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.266421080 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.266453981 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.266479015 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.286628008 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.286679983 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.286760092 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.286771059 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.286798954 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.286828041 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.286912918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.286957026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.287000895 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.287014008 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.287067890 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.287089109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.307110071 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.307168007 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.307219982 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.307233095 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.307262897 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.307282925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.307468891 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.307518005 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.307569027 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.307580948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.307614088 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.307629108 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.327781916 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.327837944 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.327883959 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.327897072 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.327924013 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.327943087 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.328008890 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.328061104 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.328087091 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.328119993 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.328156948 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.328176975 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.348181009 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.348347902 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.348408937 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.348494053 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.348668098 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.348711014 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.348746061 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.348769903 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.348799944 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.348819017 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.369097948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.369263887 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.369324923 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.369421959 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.369503975 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.369558096 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.369595051 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.369612932 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.369642019 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.369703054 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.390086889 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.390255928 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.390316010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.390413046 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.390501022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.390537024 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.390584946 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.390600920 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.390629053 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.390649080 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.411037922 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.411134958 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.411185026 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.411218882 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.411247015 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.411268950 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.411520958 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.411561966 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.411604881 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.411618948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.411652088 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.411669016 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.432014942 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.432070971 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.432111979 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.432125092 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.432151079 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.432171106 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.432336092 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.432387114 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.432418108 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.432435989 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.432467937 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.432497025 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.453253031 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.453319073 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.453346014 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.453363895 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.453391075 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.453406096 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.453633070 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.453680038 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.453707933 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.453723907 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.453752995 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.453777075 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.474421024 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.474477053 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.474508047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.474524975 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.474554062 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.474569082 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.474836111 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.474879026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.474910975 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.474922895 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.474951982 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.474970102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.495757103 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.495811939 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.495872974 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.495892048 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.495919943 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.495949984 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.496279955 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.496325016 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.496361017 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.496373892 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.496400118 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.496423960 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.517205954 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.517256975 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.517291069 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.517302036 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.517373085 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.517373085 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.517585039 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.517621994 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.517661095 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.517673969 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.517700911 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.517718077 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.538439035 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.538515091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.538564920 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.538588047 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.538599968 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.538630009 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.538800001 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.538837910 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.538865089 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.538872004 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.538898945 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.538918972 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.559767962 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.559819937 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.559840918 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.559854984 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.559875011 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.559892893 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.560125113 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.560168982 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.560199976 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.560209036 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.560239077 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.560259104 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.581135035 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.581175089 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.581211090 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.581218958 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.581247091 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.581263065 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.581490040 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.581528902 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.581563950 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.581569910 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.581595898 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.581595898 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.581614971 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.581623077 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.581641912 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.581675053 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.602451086 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.602489948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.602518082 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.602524996 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.602550983 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.602569103 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.602782965 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.602818012 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.602845907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.602852106 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.602864027 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.602893114 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.602917910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.602922916 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.602965117 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.623718023 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.623765945 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.623797894 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.623809099 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.623852015 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.623876095 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.624366045 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.624399900 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.624438047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.624447107 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.624464035 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.624497890 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.645029068 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.645086050 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.645137072 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.645153046 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.645180941 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.645204067 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.645442963 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.645486116 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.645519972 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.645524979 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.645540953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.645556927 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.645575047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.666301966 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.666354895 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.666393042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.666404009 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.666418076 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.666440964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.666770935 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.666809082 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.666838884 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.666847944 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.666877031 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.666899920 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.687732935 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.687777996 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.687828064 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.687849998 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.687876940 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.687899113 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.688074112 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.688133955 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.688148022 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.688160896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.688208103 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.688225985 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.708848000 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.708906889 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.708945990 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.708965063 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.708982944 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.709002018 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.709156036 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.709193945 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.709224939 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.709263086 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.709271908 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.709295034 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.709316969 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.729549885 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.729628086 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.729652882 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.729671955 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.729687929 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.729703903 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.729984999 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.730029106 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.730058908 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.730068922 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.730087042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.730133057 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.750284910 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.750336885 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.750375032 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.750390053 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.750412941 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.750427008 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.750708103 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.750751019 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.750780106 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.750785112 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.750798941 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.750813961 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.750839949 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.771310091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.771379948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.771411896 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.771431923 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.771447897 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.771471024 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.771646976 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.771692038 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.771733046 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.771738052 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.771753073 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.771770954 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.771801949 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.792618990 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.792684078 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.792714119 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.792732000 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.792747021 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.792776108 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.795641899 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.795701027 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.795737028 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.795753002 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.795774937 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.795802116 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.795991898 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.796058893 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.815510988 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.815574884 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.815607071 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.815623999 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.815661907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.815671921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.816348076 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.816386938 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.816431999 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.816448927 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.816479921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.816504002 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.835268974 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.835341930 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.835437059 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.835459948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.835480928 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.835515976 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.835669994 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.835710049 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.835884094 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.835884094 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.835894108 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.835937023 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.856683016 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.856734037 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.856775999 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.856786013 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.856801033 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.856829882 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.856986046 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.857023001 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.857049942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.857057095 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.857085943 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.857108116 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.877893925 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.877953053 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.878015995 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.878032923 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.878057957 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.878082991 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.878278017 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.878321886 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.878353119 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.878365993 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.878395081 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.878416061 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.899250031 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.899297953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.899347067 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.899363995 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.899391890 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.899410009 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.899563074 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.899612904 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.899643898 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.899657011 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.899688959 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.899713993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.920573950 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.920629978 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.920670986 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.920684099 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.920737982 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.920737982 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.920923948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.920975924 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.921001911 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.921016932 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.921044111 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.921057940 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.921103001 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.921103001 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.921114922 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.921159029 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.941586018 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.941643953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.941705942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.941718102 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.941745996 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.941766024 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.942095995 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.942137957 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.942178011 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.942189932 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.942215919 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.942238092 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.962380886 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.962436914 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.962471008 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.962481022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.962503910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.962529898 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.962831974 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.962884903 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.962908983 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.962940931 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.962975979 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.962995052 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.983066082 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.983127117 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.983170986 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.983181953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.983338118 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.983338118 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.983417034 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.983473063 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.983500004 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.983516932 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:25.983546019 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:25.983572960 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.004091978 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.004260063 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.004331112 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.004435062 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.004457951 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.004517078 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.004548073 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.004568100 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.004597902 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.004618883 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.025010109 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.025068045 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.025152922 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.025176048 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.025338888 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.025425911 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.025422096 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.025423050 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.025423050 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.025496960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.025557041 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.025557995 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.045746088 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.045912027 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.045974016 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.046075106 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.046175003 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.046221018 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.046260118 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.046276093 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.046323061 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.046339989 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.066468000 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.066648006 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.066709995 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.066803932 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.066957951 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.067012072 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.067040920 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.067059040 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.067090988 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.067128897 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.087246895 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.087416887 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.087477922 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.087563992 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.087614059 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.087651968 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.087651968 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.087681055 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.087722063 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.087743044 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.107952118 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.108102083 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.108163118 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.108257055 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.108360052 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.108424902 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.108428955 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.108457088 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.108489037 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.108511925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.128680944 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.128838062 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.128900051 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.129036903 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.129086971 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.129142046 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.129178047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.129196882 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.129235029 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.129261971 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.149451971 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.149627924 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.149693012 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.149784088 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.149796009 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.149821997 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.149862051 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.149878979 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.149904013 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.149919987 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.149944067 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.149976015 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.170190096 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.170350075 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.170413017 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.170491934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.170567036 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.170628071 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.170656919 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.170675993 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.170708895 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.170742035 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.191160917 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.191215992 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.191247940 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.191261053 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.191294909 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.191310883 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.191519022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.191565037 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.191596985 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.191613913 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.191644907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.191670895 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.212486029 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.212651968 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.212713957 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.212806940 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.212871075 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.212918043 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.212954998 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.212971926 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.213002920 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.213021994 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.233908892 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.234072924 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.234133959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.234230042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.234287977 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.234354973 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.234384060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.234401941 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.234437943 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.234463930 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.235841990 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.235894918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.235930920 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.235950947 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.235979080 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.235997915 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.236366034 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.236421108 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.236457109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.236474037 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.236500978 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.236531973 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.256872892 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.257030964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.257091999 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.257189989 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.257268906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.257338047 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.257370949 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.257390022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.257425070 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.257443905 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.277533054 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.277604103 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.277647018 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.277674913 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.277698994 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.277718067 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.277885914 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.277931929 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.278028965 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.278044939 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.278114080 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.298132896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.298193932 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.298230886 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.298242092 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.298268080 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.298294067 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.298441887 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.298491001 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.298515081 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.298532009 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.298558950 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.298588991 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.318748951 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.318804979 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.318835974 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.318849087 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.318886995 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.319086075 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.319134951 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.319160938 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.319176912 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.319202900 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.319216013 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.319243908 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.319253922 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.319276094 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.319298029 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.339382887 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.339550018 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.339617014 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.339694977 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.339829922 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.339883089 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.339911938 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.339930058 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.339962006 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.339987040 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.360120058 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.360280991 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.360342979 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.360424995 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.360508919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.360575914 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.360605001 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.360622883 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.360654116 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.360691071 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.381170034 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.381345034 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.381406069 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.381484032 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.381624937 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.381669998 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.381689072 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.381710052 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.381741047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.381761074 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.402476072 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.402535915 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.402582884 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.402601957 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.402635098 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.402652025 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.402961969 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.403002024 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.403047085 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.403059959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.403094053 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.403114080 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.423795938 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.423851967 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.423902988 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.423913956 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.423944950 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.423969030 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.424280882 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.424331903 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.424364090 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.424385071 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.424416065 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.424447060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.445203066 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.445293903 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.445318937 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.445336103 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.445357084 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.445377111 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.445607901 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.445645094 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.445684910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.445698977 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.445730925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.445765018 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.466425896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.466487885 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.466512918 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.466528893 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.466556072 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.466571093 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.466824055 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.466882944 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.466913939 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.466933012 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.466959953 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.466979027 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.487746000 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.487816095 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.487865925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.487884998 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.487911940 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.487926006 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.488202095 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.488271952 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.488301039 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.488317966 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.488341093 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.488358974 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.488382101 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.488394976 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.488420010 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.488441944 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.508809090 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.508879900 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.508908033 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.508925915 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.508954048 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.508969069 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.509181023 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.509236097 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.509262085 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.509279966 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.509310961 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.509325027 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.529319048 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.529380083 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.529409885 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.529428959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.529454947 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.529470921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.529720068 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.529773951 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.529800892 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.529818058 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.529843092 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.529871941 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.549824953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.549885035 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.549943924 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.549956083 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.549983025 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.550002098 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.550136089 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.550185919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.550210953 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.550228119 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.550257921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.550276041 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.570184946 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.570255995 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.570301056 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.570312977 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.570339918 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.570359945 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.570555925 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.570604086 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.570641994 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.570662975 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.570688009 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.570705891 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.590708971 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.590770960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.590820074 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.590837002 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.590863943 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.590879917 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.590960026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.591015100 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.591048002 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.591063976 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.591090918 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.591104984 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.591134071 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.591142893 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.591166973 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.591190100 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.611030102 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.611095905 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.611133099 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.611144066 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.611175060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.611193895 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.611452103 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.611499071 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.611542940 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.611565113 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.611594915 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.611610889 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.631453037 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.631515026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.631550074 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.631561995 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.631644964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.631644964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.631855965 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.631912947 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.631942987 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.631962061 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.632024050 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.632024050 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.652043104 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.652216911 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.652278900 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.652334929 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.652374983 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.652393103 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.652434111 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.652448893 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.652479887 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.652489901 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.652520895 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.652542114 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.672555923 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.672728062 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.672797918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.672889948 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.672966957 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.673022032 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.673059940 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.673080921 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.673115015 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.673142910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.693202972 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.693370104 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.693432093 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.693525076 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.693586111 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.693639994 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.693670034 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.693691969 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.693723917 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.693742990 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.713695049 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.713856936 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.713917971 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.714013100 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.714370966 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.714428902 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.714467049 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.714473963 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.714487076 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.714489937 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.714509964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.714528084 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.734277010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.734333038 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.734361887 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.734380960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.734405041 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.734442949 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.734579086 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.734622002 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.734726906 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.734728098 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.734728098 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.734795094 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.734854937 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.754755974 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.754812956 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.754848003 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.754859924 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.754883051 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.754904032 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.755274057 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.755316973 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.755350113 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.755362988 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.755392075 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.755410910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.775120020 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.775177002 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.775211096 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.775227070 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.775279045 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.775279045 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.775540113 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.775583029 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.775620937 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.775640011 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.775669098 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.775688887 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.795742989 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.795808077 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.795835018 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.795850992 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.795877934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.795907021 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.796072960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.796118975 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.796155930 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.796159983 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.796176910 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.796186924 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.796207905 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.796224117 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.816262960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.816328049 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.816375017 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.816389084 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.816415071 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.816430092 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.816616058 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.816665888 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.816701889 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.816719055 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.816746950 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.816761971 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.836896896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.836960077 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.836997986 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.837014914 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.837043047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.837066889 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.837274075 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.837317944 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.837356091 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.837373972 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.837397099 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.837426901 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.857777119 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.857887983 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.857934952 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.857959032 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.857965946 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.857975006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.857997894 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.858032942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.858061075 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.858083010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.858088017 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.858115911 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.858129025 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.858155012 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.858202934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.878495932 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.878556013 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.878614902 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.878627062 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.878659964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.878678083 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.878813028 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.878865957 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.878904104 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.878922939 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.878953934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.878998995 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.899394035 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.899559975 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.899621010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.899719954 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.899800062 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.899856091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.899888992 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.899897099 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.899918079 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.899924040 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.899955034 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.899975061 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.920653105 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.920715094 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.920763969 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.920778990 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.920803070 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.920825005 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.920989037 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.921044111 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.921143055 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.921144009 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.921209097 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.921281099 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.941139936 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.941353083 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.941438913 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.941461086 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.941905022 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.941946030 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.942140102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.961815119 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.961999893 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.962060928 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.962260962 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.962338924 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.962388992 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.962441921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.962455034 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.962495089 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.962531090 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.962743998 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.962793112 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.962851048 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.962862015 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.962896109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.962910891 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.963085890 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.963133097 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.963190079 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.963202000 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.963269949 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.963289976 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.963579893 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.963634968 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.963675022 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.963685036 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.963709116 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.963735104 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.963902950 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.963949919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.963983059 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.963994026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.964025021 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.964045048 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.964067936 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.964078903 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.964288950 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.977317095 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.977368116 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.977535009 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.977559090 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.977703094 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.977761984 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.977802038 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.977916956 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.977927923 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.977984905 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.985810041 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.985944986 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.997697115 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.997761965 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.997827053 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.997842073 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.997864962 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.997898102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.998152018 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.998191118 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.998285055 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:26.998286963 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.998303890 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:26.998348951 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.018747091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.018804073 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.018860102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.018872023 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.018919945 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.018937111 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.019221067 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.019268990 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.019325018 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.019345999 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.019361973 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.019387960 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.019407034 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.019426107 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.039956093 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.040019989 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.040190935 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.040191889 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.040210962 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.040277958 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.040457010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.040512085 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.040558100 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.040570021 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.040612936 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.040642023 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.060359955 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.060583115 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.060636997 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.060671091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.060700893 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.060723066 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.060933113 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.060981989 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.061017036 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.061029911 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.061058998 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.064222097 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.081420898 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.081620932 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.081667900 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.081702948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.081731081 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.081765890 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.082247972 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.082298994 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.082344055 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.082356930 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.082387924 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.082415104 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.082629919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.082680941 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.082726002 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.082736969 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.082765102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.082784891 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.083308935 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.083355904 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.083386898 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.083398104 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.083422899 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.083446980 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.083662987 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.083731890 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.084362984 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.084409952 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.084434032 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.084446907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.084453106 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.084467888 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.084484100 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.084517956 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.084541082 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.084556103 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.084580898 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.084604025 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.096133947 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.096188068 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.096226931 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.096236944 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.096554041 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.096554041 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.097068071 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.097138882 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.097192049 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.097209930 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.097249031 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.097280979 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.108617067 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.108673096 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.108719110 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.108730078 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.108876944 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.108876944 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.117388010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.117451906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.117501020 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.117513895 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.117543936 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.117566109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.117726088 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.117794037 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.128932953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.128982067 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.129015923 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.129029989 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.129172087 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.129172087 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.138588905 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.138642073 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.138686895 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.138700008 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.138731956 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.138756990 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.158927917 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.159126997 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.159198046 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.159369946 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.159701109 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.159753084 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.159786940 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.159791946 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.159806967 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.159807920 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.159838915 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.159857035 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.179838896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.180051088 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.180097103 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.180136919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.180212021 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.180212021 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.180519104 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.180571079 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.180608988 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.180620909 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.180648088 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.180675030 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.180682898 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.180700064 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.180757046 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.200551987 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.200710058 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.200773001 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.200944901 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.201823950 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.201873064 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.201915979 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.201931953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.201958895 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.201998949 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.202313900 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.202363014 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.202398062 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.202415943 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.202445984 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.202461958 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.202971935 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.203010082 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.203052044 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.203063965 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.203093052 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.203113079 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.204195976 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.204243898 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.204272032 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.204286098 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.204313040 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.204329967 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.204710960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.204756021 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.204785109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.204794884 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.204818010 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.204843044 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.204902887 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.204972982 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.205058098 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.205100060 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.205127001 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.205137014 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.205162048 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.205179930 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.216658115 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.216710091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.216778994 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.216789961 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.216814041 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.216825008 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.216842890 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.216852903 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.216881990 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.216900110 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.224582911 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.224639893 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.224678993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.224689960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.224725962 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.224745989 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.236625910 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.236685991 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.236732006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.236758947 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.236773014 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.237087011 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.237087965 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.245620012 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.245697975 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.245738983 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.245754957 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.245784044 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.245804071 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.257843971 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.257901907 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.257960081 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.257972002 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.257998943 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.258017063 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.258143902 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.258208990 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.258663893 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.258713007 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.258743048 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.258754015 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.258774996 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.258802891 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.278819084 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.278944016 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.278975964 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.279053926 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.279130936 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.279190063 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.286669016 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.286725044 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.286794901 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.286813021 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.286842108 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.286856890 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.299873114 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.299943924 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.300009966 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.300029993 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.300055981 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.300062895 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.300090075 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.300096035 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.300131083 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.300159931 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.310014009 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.310058117 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.310100079 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.310105085 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.310162067 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.321415901 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.321465015 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.321494102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.321501017 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.321532965 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.321562052 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.321952105 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.321996927 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.322040081 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.322046041 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.322069883 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.322088957 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.322668076 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.322707891 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.322738886 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.322750092 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.322755098 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.322797060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.323591948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.323633909 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.323662996 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.323668003 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.323720932 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.324446917 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.324515104 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.324542999 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.324548006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.324575901 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.324600935 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.335968971 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.336009026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.336040020 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.336045027 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.336072922 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.336105108 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.336455107 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.336494923 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.336523056 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.336529970 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.336564064 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.336580038 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.336587906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.336610079 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.336633921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.356736898 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.356781006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.356806993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.356813908 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.356844902 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.356864929 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.357271910 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.357309103 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.357341051 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.357347965 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.357384920 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.357402086 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.377365112 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.377418041 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.377509117 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.377516031 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.377558947 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.377578020 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.377665997 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.377712965 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.377743959 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.377751112 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.377783060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.377808094 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.398046017 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.398092985 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.398123026 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.398129940 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.398174047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.398896933 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.398935080 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.398968935 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.398972988 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.399003029 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.399022102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.399045944 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.399099112 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.418426037 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.418469906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.418504000 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.418513060 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.418566942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.419053078 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.419090033 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.419137955 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.419142008 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.419167042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.419178963 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.419329882 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.419392109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.439187050 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.439352989 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.439382076 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.439456940 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.439640999 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.439687014 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.439717054 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.439723015 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.439754963 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.439771891 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.440521002 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.440603971 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.459780931 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.459914923 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.459944963 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.460031986 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.460175991 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.460231066 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.460264921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.460283995 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.460318089 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.460336924 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.480751038 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.480916023 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.480977058 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.481075048 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.481177092 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.481235981 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.481265068 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.481285095 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.481314898 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.481357098 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.502227068 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.502293110 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.502405882 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.502433062 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.502433062 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.502453089 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.502475023 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.502507925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.522267103 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.522325993 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.522373915 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.522387028 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.522414923 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.522433043 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.522731066 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.522808075 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.522887945 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.522887945 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.522954941 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.523025036 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.542856932 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.542923927 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.542977095 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.542993069 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.543016911 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.543039083 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.543236017 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.543286085 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.543329954 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.543344021 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.543378115 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.543404102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.563379049 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.563453913 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.563508987 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.563525915 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.563539982 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.563585043 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.563785076 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.563836098 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.563872099 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.563878059 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.563896894 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.563915014 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.563931942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.563955069 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.583971977 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.584023952 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.584187984 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.584187984 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.584208965 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.584379911 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.584465027 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.584517002 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.584547997 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.584561110 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.584592104 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.584619045 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.604846954 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.604904890 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.604950905 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.604960918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.604994059 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.605016947 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.605292082 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.605344057 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.605389118 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.605405092 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.605431080 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.605463028 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.625457048 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.625519037 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.625556946 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.625577927 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.625606060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.625622034 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.625648022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.625648022 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.625677109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.625689983 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.625714064 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.625742912 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.646003008 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.646064043 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.646153927 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.646166086 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.646194935 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.646217108 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.646579981 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.646630049 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.646656036 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.646672010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.646699905 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.646763086 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.666944981 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.667115927 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.667176962 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.667268991 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.667433977 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.667484045 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.667514086 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.667530060 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.667561054 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.667587042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.687748909 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.687804937 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.687844992 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.687858105 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.687882900 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.687902927 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.688153028 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.688203096 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.688235998 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.688247919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.688266993 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.688271999 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.688293934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.688306093 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.688330889 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.688354015 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.708739042 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.708897114 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.708982944 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.709001064 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.709039927 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.709039927 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.709131956 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.709187031 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.709223986 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.709239960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.709285975 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.709345102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.709783077 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.709853888 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.730132103 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.730226040 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.730252028 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.730271101 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.730294943 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.730320930 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.730483055 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.730539083 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.730566978 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.730583906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.730612040 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.730657101 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.751351118 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.751413107 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.751458883 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.751472950 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.751501083 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.751521111 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.751703978 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.751755953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.751792908 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.751799107 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.751816988 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.751832008 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.751848936 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.751868963 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.772687912 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.772732973 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.772766113 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.772774935 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.772805929 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.772834063 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.772978067 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.773029089 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.773056030 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.773071051 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.773097992 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.773098946 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.773112059 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.773127079 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.773153067 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.773176908 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.794045925 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.794106007 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.794138908 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.794157982 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.794182062 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.794450045 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.794496059 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.794512987 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.794540882 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.794558048 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.794589043 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.794598103 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.794625998 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.794645071 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.815268040 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.815340996 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.815390110 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.815414906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.815443993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.815459967 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.815666914 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.815722942 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.815797091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.815845013 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.815860033 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.815888882 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.815908909 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.836595058 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.836661100 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.836689949 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.836709023 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.836734056 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.836772919 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.837008953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.837064028 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.837095022 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.837112904 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.837141991 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.837172031 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.857909918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.858012915 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.858062983 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.858097076 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.858125925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.858146906 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.858270884 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.858323097 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.858366013 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.858382940 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.858407974 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.858428001 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.858625889 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.858699083 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.879164934 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.879370928 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.879427910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.879462957 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.879492044 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.879501104 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.879513979 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.879534006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.879560947 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.879575968 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.879607916 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.879620075 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.879651070 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.879678965 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.900615931 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.900677919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.900734901 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.900747061 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.900778055 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.900799036 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.900923014 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.900979996 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.901010036 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.901022911 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.901052952 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.901072979 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.921859026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.921936035 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.921988010 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.921998978 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.922029018 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.922046900 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.922226906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.922277927 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.922312975 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.922327042 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.922352076 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.922368050 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.922386885 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.922452927 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.943113089 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.943173885 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.943232059 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.943245888 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.943275928 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.943294048 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.943491936 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.943555117 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.943571091 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.943588972 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.943624973 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.943656921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.943670034 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.943694115 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.943713903 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.964515924 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.964571953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.964627981 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.964642048 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.964673042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.964689970 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.964845896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.964895964 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.964926004 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.964947939 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.964962959 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.965007067 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.985759974 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.985817909 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.985846996 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.985861063 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.985886097 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.985907078 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.986083984 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.986140013 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.986176014 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.986186028 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.986213923 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.986229897 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:27.986264944 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:27.986335993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.006984949 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.007031918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.007050037 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.007057905 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.007076025 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.007097006 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.007355928 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.007395983 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.007419109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.007424116 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.007436991 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.007450104 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.007462978 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.007467031 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.007493973 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.007515907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.028224945 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.028270960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.028311968 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.028321981 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.028347015 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.028367043 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.028708935 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.028744936 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.028770924 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.028776884 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.028804064 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.028821945 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.049587965 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.049670935 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.049705029 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.049729109 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.049760103 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.049777031 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.049941063 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.049989939 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.050024986 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.050043106 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.050071955 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.050087929 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.050101042 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.050148964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.070871115 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.070924044 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.070974112 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.070986032 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.071013927 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.071031094 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.071300030 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.071352959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.071384907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.071389914 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.071405888 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.071405888 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.071425915 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.071445942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.092189074 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.092339993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.092371941 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.092454910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.092614889 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.092669964 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.092708111 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.092726946 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.092765093 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.092788935 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.113538027 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.113697052 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.113758087 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.113840103 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.113908052 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.113965034 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.113996029 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.114015102 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.114042044 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.114085913 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.134767056 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.134864092 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.134906054 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.134943962 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.134975910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.134996891 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.135200024 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.135257006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.135289907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.135308027 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.135340929 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.135371923 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.156013012 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.156068087 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.156192064 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.156193018 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.156212091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.156271935 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.156541109 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.156666994 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.156698942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.156760931 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.156804085 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.156829119 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.177238941 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.177303076 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.177346945 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.177360058 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.177390099 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.177408934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.177630901 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.177678108 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.177709103 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.177727938 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.177758932 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.177789927 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.198045015 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.198110104 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.198153019 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.198163986 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.198193073 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.198209047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.198468924 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.198522091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.198554993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.198571920 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.198607922 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.198626041 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.218673944 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.218724966 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.218760014 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.218776941 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.218802929 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.218817949 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.219095945 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.219147921 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.219177008 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.219192982 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.219224930 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.219249964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.239414930 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.239458084 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.239696026 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.239708900 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.239778042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.239800930 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.239849091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.239881039 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.239892960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.239921093 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.239964008 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.260202885 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.260260105 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.260303974 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.260314941 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.260341883 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.260356903 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.260560989 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.260611057 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.260637045 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.260652065 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.260674953 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.260679960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.260690928 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.260706902 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.260735035 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.260754108 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.281339884 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.281405926 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.281461954 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.281476021 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.281503916 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.281527042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.281778097 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.281835079 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.281864882 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.281869888 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.281884909 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.281886101 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.281913042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.281933069 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.302701950 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.302762985 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.302791119 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.302808046 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.302836895 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.302855968 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.303083897 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.303134918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.303168058 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.303186893 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.303215981 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.303240061 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.323932886 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.323992968 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.324039936 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.324052095 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.324219942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.324219942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.324518919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.324572086 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.324603081 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.324615002 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.324639082 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.324665070 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.345408916 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.345473051 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.345510006 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.345521927 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.345699072 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.345700026 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.345716000 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.345732927 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.345782995 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.345815897 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.345833063 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.345860958 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.345880985 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.345885038 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.345896959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.345947027 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.366703987 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.366766930 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.366898060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.366898060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.366914988 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.366970062 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.367060900 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.367125988 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.367162943 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.367178917 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.367204905 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.367224932 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.367254019 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.367263079 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.367286921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.367319107 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.388000011 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.388062954 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.388096094 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.388109922 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.388259888 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.388259888 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.388659000 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.388712883 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.388746023 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.388761997 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.388789892 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.388806105 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.409411907 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.409473896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.409559965 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.409575939 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.409761906 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.409761906 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.409784079 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.409801960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.409826994 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.409843922 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.409862041 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.409885883 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.409904003 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.409933090 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.409941912 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.409962893 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.410002947 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.430682898 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.430744886 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.430782080 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.430794001 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.430998087 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.430998087 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.431031942 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.431087017 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.431118011 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.431128979 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.431152105 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.431168079 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.431196928 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.431205988 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.431227922 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.431257963 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.452121019 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.452291012 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.452353954 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.452426910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.452589035 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.452657938 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.452680111 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.452697039 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.452727079 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.452742100 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.452770948 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.452780962 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.452805042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.452825069 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.473537922 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.473705053 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.473766088 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.473872900 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.473927021 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.473974943 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.473990917 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.473990917 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.473992109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.474018097 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.474057913 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.474081993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.494769096 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.494844913 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.494883060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.494899988 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.494926929 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.494951963 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.495089054 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.495179892 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.495248079 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.495249033 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.495312929 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.495378017 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.516169071 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.516244888 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.516257048 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.516287088 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.516324997 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.516350985 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.516469002 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.516644001 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.516684055 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.516746998 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.516788960 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.516813993 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.537502050 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.537602901 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.537652969 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.537688971 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.537791014 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.537791967 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.537939072 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.537995100 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.538027048 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.538048029 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.538080931 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.538105965 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.558896065 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.558968067 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.559111118 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.559111118 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.559124947 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.559154987 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.559192896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.559195995 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.559212923 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.559232950 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.559266090 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.559295893 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.559312105 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.559366941 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.580157042 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.580370903 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.580420017 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.580462933 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.580492973 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.580517054 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.580538034 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.580605984 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.580627918 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.580645084 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.580679893 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.580694914 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.580727100 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.580737114 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.580765963 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.580789089 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.601481915 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.601684093 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.601746082 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.601824045 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.601855993 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.601924896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.601954937 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.601974010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.602003098 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.602008104 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.602020025 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.602037907 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.602072954 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.602098942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.622718096 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.622884035 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.622947931 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.623059034 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.623147011 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.623223066 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.623251915 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.623270035 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.623298883 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.623312950 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.623347044 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.623357058 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.623380899 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.623398066 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.644232988 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.644351959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.644399881 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.644434929 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.644464016 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.644486904 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.644547939 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.644607067 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.644632101 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.644646883 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.644676924 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.644680023 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.644696951 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.644709110 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.644733906 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.644767046 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.665870905 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.665929079 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.665960073 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.665977955 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.666004896 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.666019917 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.666445017 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.666507959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.666536093 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.666552067 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.666575909 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.666593075 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.666645050 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.666656017 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.666678905 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.666695118 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.686702967 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.686778069 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.686808109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.686825037 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.686852932 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.686867952 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.687191963 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.687254906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.687283039 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.687299967 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.687324047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.687340975 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.687367916 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.687377930 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.687398911 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.687423944 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.708041906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.708105087 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.708153009 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.708164930 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.708190918 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.708209038 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.708489895 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.708555937 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.708576918 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.708595991 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.708622932 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.708655119 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.729087114 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.729152918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.729185104 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.729197025 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.729223013 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.729244947 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.729528904 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.729589939 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.729619026 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.729638100 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.729661942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.729682922 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.729703903 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.749900103 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.749965906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.750005960 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.750025034 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.750051975 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.750067949 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.750226974 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.750288963 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.750318050 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.750336885 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.750365019 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.750384092 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.770533085 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.770704985 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.770766973 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.770842075 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.770860910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.770884991 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.770920992 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.770960093 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.770967960 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.770986080 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.771012068 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.771035910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.791407108 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.791577101 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.791640043 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.791738987 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.791835070 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.791897058 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.791932106 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.791951895 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.791985989 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.792011023 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.812165976 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.812330961 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.812391996 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.812489986 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.812550068 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.812608957 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.812635899 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.812654972 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.812685013 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.812710047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.833471060 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.833545923 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.833602905 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.833632946 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.833668947 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.833683014 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.833730936 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.833738089 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.833751917 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.833782911 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.854497910 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.854645967 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.854676008 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.854785919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.854824066 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.854861975 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.854888916 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.854888916 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.854888916 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.854898930 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.854914904 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.854952097 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.875739098 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.875796080 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.875943899 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.875967026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.876121998 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.876125097 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.876142979 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.876183033 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.876214027 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.876214027 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.876229048 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.876251936 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.876280069 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.876280069 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.876300097 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.897100925 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.897262096 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.897311926 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.897416115 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.897454977 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.897506952 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.897533894 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.897551060 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.897584915 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.897617102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.918514013 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.918675900 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.918704033 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.918723106 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.918747902 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.918776035 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.918849945 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.918883085 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.918915033 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.918920994 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.918951035 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.918975115 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.939693928 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.939821959 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.939851999 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.940071106 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.940105915 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.940181017 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.944907904 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.944928885 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.944998026 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.961040020 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.961095095 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.961169004 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.961179972 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.961441994 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.961441994 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.961494923 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.961504936 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.961569071 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.961606979 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.961630106 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.961663961 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.961695910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.961716890 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.982388020 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.982445955 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.982597113 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.982597113 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.982614040 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.982682943 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.982760906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.982809067 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.982841015 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.982856035 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:28.982888937 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:28.982914925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.003680944 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.003819942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.003849983 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.004043102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.004059076 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.004108906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.004178047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.004178047 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.004194021 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.004261971 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.025072098 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.025124073 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.025160074 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.025171041 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.025197029 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.025214911 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.025538921 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.025585890 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.025621891 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.025635004 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.025662899 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.025682926 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.046359062 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.046566010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.046626091 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.046660900 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.046683073 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.046698093 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.046713114 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.046744108 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.046755075 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.046782970 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.046812057 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.046818018 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.046828985 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.046864986 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.046901941 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.067624092 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.067790985 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.067852020 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.067964077 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.068015099 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.068069935 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.068087101 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.068161011 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.068161011 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.089011908 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.089142084 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.089173079 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.089339018 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.089457035 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.089498043 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.089529991 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.089535952 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.089550972 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.089584112 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.110341072 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.110527992 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.110553026 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.110573053 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.110599995 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.110620022 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.110693932 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.110743999 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.110795975 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.110807896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.110841990 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.110867023 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.131597042 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.131759882 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.131789923 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.131866932 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.131932020 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.131970882 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.131994009 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.132002115 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.132024050 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.132047892 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.152903080 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.153038979 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.153069973 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.153223991 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.153297901 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.153333902 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.153366089 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.153372049 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.153389931 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.153428078 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.174247980 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.174412012 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.174420118 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.174442053 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.174474001 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.174515009 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.174593925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.174593925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.174593925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.174593925 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.174606085 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.174654007 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.195353985 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.195547104 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.195568085 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.195585966 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.195621014 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.195640087 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.195806980 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.195857048 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.195892096 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.195907116 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.195935011 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.195954084 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.195957899 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.195969105 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.196018934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.216747046 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.216788054 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.217025995 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.217025995 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.217056990 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.217109919 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.217168093 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.217211962 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.217241049 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.217247009 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.217262030 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.217319965 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.237979889 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.238135099 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.238202095 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.238296032 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.238343954 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.238398075 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.238425016 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.238441944 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.238466024 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.238483906 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.238512039 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.238523960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.238548040 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.238569021 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.259274006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.259449959 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.259526014 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.259610891 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.259666920 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.259721994 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.259751081 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.259768009 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.259798050 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.259813070 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.280602932 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.280736923 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.280771971 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.280843019 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.280980110 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.281017065 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.281038046 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.281045914 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.281064987 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.281095028 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.302012920 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.302145004 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.302174091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.302233934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.302356958 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.302393913 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.302424908 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.302431107 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.302443027 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.302443027 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.302467108 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.302473068 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.302495003 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.302520990 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.323472023 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.323524952 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.323566914 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.323576927 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.323596954 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.323606014 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.323618889 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.323659897 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.323659897 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.323679924 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.323707104 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.323725939 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.323769093 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.323834896 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.344752073 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.344886065 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.344917059 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.344985008 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.344986916 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.344995022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.345019102 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.345047951 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.345055103 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.345066071 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.345071077 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.345088959 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.345094919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.345120907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.345155001 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.365959883 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.366014957 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.366059065 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.366070032 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.366097927 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.366117001 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.366334915 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.366385937 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.366528988 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.366529942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.366594076 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.366661072 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.387191057 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.387257099 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.387301922 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.387315989 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.387340069 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.387370110 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.387569904 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.387753963 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.387773037 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.387821913 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.387865067 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.387891054 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.408626080 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.408751011 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.408781052 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.408843040 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.408977985 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.409010887 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.409039021 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.409044027 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.409056902 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.409084082 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.409099102 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.409148932 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.429919958 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.430007935 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.430062056 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.430100918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.430128098 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.430150032 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.430305004 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.430347919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.430381060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.430397034 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.430428028 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.430459976 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.451179028 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.451250076 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.451390028 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.451390028 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.451411963 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.451462984 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.451637030 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.451682091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.451711893 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.451713085 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.451725006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.451741934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.451761961 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.472635984 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.472824097 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.472887993 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.472954035 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.472970963 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.472995996 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.473037004 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.473052979 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.473082066 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.473092079 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.473115921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.473140001 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.493798971 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.493849993 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.493891954 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.493926048 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.494132996 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.494132996 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.494235039 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.494277954 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.494314909 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.494316101 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.494339943 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.494370937 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.494370937 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.494391918 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.515115976 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.515168905 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.515517950 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.515542030 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.515588999 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.515634060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.515659094 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.515688896 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.515701056 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.515733957 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.515749931 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.536587954 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.536660910 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.536791086 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.536823988 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.536844015 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.536880016 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.536931038 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.536974907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.536974907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.536974907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.536997080 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.537039042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.537060022 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.557735920 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.557897091 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.557957888 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.558125019 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.558163881 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.558182001 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.558226109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.558244944 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.558273077 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.558283091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.558310986 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.558340073 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.579072952 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.579278946 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.579319954 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.579360008 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.579387903 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.579411983 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.579539061 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.579587936 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.579619884 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.579636097 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.579667091 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.579684973 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.600519896 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.600682974 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.600747108 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.600837946 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.600914001 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.600965023 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.600996971 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.601010084 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.601028919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.601038933 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.601057053 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.601068974 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.601118088 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.601160049 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.621748924 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.621824026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.621881008 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.621916056 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.622044086 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.622045040 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.622231960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.622273922 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.622318983 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.622445107 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.622458935 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.622517109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.643090010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.643158913 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.643275023 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.643275976 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.643296003 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.643349886 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.643493891 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.643533945 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.643565893 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.643577099 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.643604994 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.643630981 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.664382935 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.664433956 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.664573908 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.664575100 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.664591074 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.664645910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.664766073 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.664800882 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.664834023 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.664839029 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.664849043 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.664863110 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.664885998 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.664892912 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.664905071 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.664940119 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.685714960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.685775042 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.685900927 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.685900927 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.685914040 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.685980082 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.686178923 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.686223030 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.686249018 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.686254978 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.686265945 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.686296940 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.686296940 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.686316967 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.706960917 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.707113028 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.707174063 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.707284927 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.707336903 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.707370996 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.707391977 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.707422018 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.707422018 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.707429886 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.707451105 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.707463026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.707487106 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.707510948 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.728199005 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.728404999 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.728455067 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.728490114 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.728518963 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.728538990 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.728657007 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.728704929 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.728738070 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.728753090 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.728779078 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.728794098 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.728802919 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.728854895 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.749970913 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.750051975 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.750096083 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.750127077 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.750158072 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.750180006 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.750494003 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.750540018 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.750566006 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.750581026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.750608921 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.750623941 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.750637054 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.750685930 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.770931005 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.770984888 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.771014929 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.771033049 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.771056890 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.771078110 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.771347046 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.771393061 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.771416903 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.771430969 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.771456003 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.771469116 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.771471024 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.771486044 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.771509886 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.771550894 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.792288065 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.792383909 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.792481899 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.792481899 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.792521000 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.792650938 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.792690992 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.792721033 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.792741060 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.792781115 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.792781115 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.792805910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.813507080 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.813558102 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.813683987 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.813683987 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.813698053 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.813751936 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.814009905 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.814050913 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.814095020 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.814110994 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.814140081 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.814163923 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.835161924 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.835212946 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.835356951 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.835356951 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.835370064 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.835416079 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.835706949 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.835865974 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.835927010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.835987091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.836026907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.836042881 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.836071014 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.836091042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.856431007 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.856617928 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.856679916 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.856713057 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.856745958 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.856779099 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.856779099 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.856797934 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.856834888 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.856858015 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.877918005 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.877994061 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.878021955 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.878046036 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.878060102 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.878084898 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.878282070 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.878335953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.878369093 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.878384113 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.878408909 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.878424883 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.878427982 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.878454924 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.878472090 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.878503084 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.899481058 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.899636030 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.899697065 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.899774075 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.899985075 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.900043964 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.900079966 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.900096893 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.900162935 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.900163889 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.920886993 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.921051025 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.921114922 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.921206951 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.921382904 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.921438932 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.921480894 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.921493053 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.921516895 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.921523094 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.921540976 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.921551943 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.921581030 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.921624899 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.941617966 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.941721916 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.941768885 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.941804886 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.941837072 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.941855907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.941968918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.942015886 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.942044973 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.942064047 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.942100048 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.942100048 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.942121983 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.963145018 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.963211060 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.963267088 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.963280916 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.963311911 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.963331938 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.963560104 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.963610888 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.963710070 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.963726044 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.963748932 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.963756084 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.963784933 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.963794947 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.963818073 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.963843107 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.984349012 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.984407902 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.984481096 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.984491110 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.984538078 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.984558105 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.984733105 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.984786987 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.984814882 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.984829903 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.984857082 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.984872103 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:29.984904051 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:29.984966040 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.005615950 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.005676031 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.005723000 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.005734921 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.005767107 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.005785942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.005939007 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.005990982 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.006028891 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.006040096 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.006066084 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.006081104 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.006202936 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.006270885 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.026936054 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.027010918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.027036905 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.027055979 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.027081966 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.027100086 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.027342081 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.027403116 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.027431965 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.027441978 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.027467966 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.027476072 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.027486086 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.027524948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.027549028 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.027573109 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.048300982 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.048357010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.048409939 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.048422098 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.048456907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.048476934 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.048664093 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.048718929 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.048743010 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.048757076 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.048784018 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.048798084 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.048945904 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.049014091 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.069612026 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.069679022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.069823027 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.069823027 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.069838047 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.069886923 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.069972992 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.070023060 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.070050955 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.070065022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.070090055 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.070111036 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.070113897 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.070136070 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.070141077 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.070158958 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.070185900 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.090888977 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.090939045 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.090989113 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.091000080 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.091026068 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.091047049 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.091233015 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.091290951 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.091315031 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.091330051 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.091356039 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.091366053 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.091372967 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.091391087 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.091422081 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.091444969 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.112097979 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.112171888 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.112205982 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.112216949 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.112245083 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.112262964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.112576962 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.112632990 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.112657070 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.112670898 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.112698078 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.112710953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.112713099 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.112734079 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.112765074 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.112785101 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.133630037 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.133688927 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.133944988 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.133958101 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.134025097 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.134041071 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.134089947 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.134135008 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.134144068 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.134171963 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.134188890 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.134191990 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.134211063 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.134238005 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.134263039 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.154833078 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.154901028 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.154944897 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.154956102 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.154985905 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.155009031 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.155189991 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.155240059 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.155280113 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.155287981 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.155313969 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.155320883 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.155333042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.155358076 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.155380964 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.155404091 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.175995111 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.176047087 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.176096916 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.176131010 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.176162004 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.176182985 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.176369905 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.176414013 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.176462889 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.176462889 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.176476002 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.176536083 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.197324991 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.197395086 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.197432041 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.197442055 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.197468042 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.197493076 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.197741032 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.197782040 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.197820902 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.197952032 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.197963953 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.198029041 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.218579054 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.218632936 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.218669891 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.218682051 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.218723059 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.218758106 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.218961000 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.219007969 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.219032049 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.219047070 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.219075918 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.219099045 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.240129948 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.240185022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.240255117 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.240266085 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.240293026 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.240314007 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.240596056 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.240642071 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.240674973 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.240690947 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.240722895 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.240741968 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.242193937 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.242244959 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.242281914 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.242291927 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.242319107 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.242333889 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.242567062 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.242614985 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.242640018 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.242655039 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.242681026 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.242695093 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.242723942 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.242733955 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.242758036 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.242775917 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.263499022 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.263562918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.263609886 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.263628006 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.263660908 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.263690948 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.263793945 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.263847113 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.263881922 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.263884068 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.263896942 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.263906956 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.263928890 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.263956070 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.284796000 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.284864902 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.284919024 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.284946918 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.284976006 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.284992933 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.285260916 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.285300016 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.285335064 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.285351992 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.285379887 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.285402060 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.306251049 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.306313992 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.306385040 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.306401014 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.306449890 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.306449890 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.306606054 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.306648970 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.306674004 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.306689978 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.306719065 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.306742907 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.327460051 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.327510118 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.327601910 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.327617884 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.327732086 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.327732086 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.327874899 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.327919960 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.327946901 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.327958107 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.327987909 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.328013897 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.348860979 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.349016905 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.349078894 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.349235058 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.349292040 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.349327087 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.349327087 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.349350929 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.349390984 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.349419117 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.370187044 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.370337009 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.370397091 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.370558023 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.370563984 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.370577097 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.370641947 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.370665073 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.370665073 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.370682001 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.370706081 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.370732069 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.370732069 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.370773077 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.391469002 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.391521931 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.391726017 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.391726017 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.391742945 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.391815901 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.391931057 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.391983986 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.392019033 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.392035961 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.392066956 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.392107010 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:30.392433882 CEST	443	49707	8.18.62.6	192.168.2.7
Apr 18, 2024 06:25:30.392486095 CEST	49707	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:37.703008890 CEST	49706	443	192.168.2.7	8.18.62.6
Apr 18, 2024 06:25:37.703171015 CEST	49707	443	192.168.2.7	8.18.62.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 06:25:21.452157974 CEST	59705	53	192.168.2.7	1.1.1.1
Apr 18, 2024 06:25:21.599008083 CEST	53	59705	1.1.1.1	192.168.2.7
Apr 18, 2024 06:25:22.289244890 CEST	57522	53	192.168.2.7	1.1.1.1
Apr 18, 2024 06:25:22.473436117 CEST	53	57522	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 06:25:21.452157974 CEST	192.168.2.7	1.1.1.1	0x1b83	Standard query (0)	support.lockwoodbroadcast.com	A (IP address)	IN (0x0001)	false
Apr 18, 2024 06:25:22.289244890 CEST	192.168.2.7	1.1.1.1	0x8d0c	Standard query (0)	support.lockwoodbroadcast.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 06:25:21.599008083 CEST	1.1.1.1	192.168.2.7	0x1b83	No error (0)	support.lockwoodbroadcast.com		8.18.62.6	A (IP address)	IN (0x0001)	false
Apr 18, 2024 06:25:22.473436117 CEST	1.1.1.1	192.168.2.7	0x8d0c	No error (0)	support.lockwoodbroadcast.com		8.18.62.6	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

support.lockwoodbroadcast.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49706	8.18.62.6	443	3624	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 04:25:22 UTC	243	OUT	GET /as/wapi/get_client_size?client_type=0&xml_format=Y&client=pc&myrand11262017=fsOpyNl7RRDmyVQ8cYMYTocPl4347283&rdm=1713420883 HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: support.lockwoodbroadcast.com Connection: Keep-Alive
2024-04-18 04:25:22 UTC	177	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 00:25:22 GMT Cache-Control: no-store Accept-Ranges: bytes Content-Type: text/html Content-Length: 86 X-Frame-Options: SAMEORIGIN
2024-04-18 04:25:22 UTC	86	IN	Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 54 68 65 20 63 6c 69 65 6e 74 20 73 69 7a 65 20 69 73 20 3c 5f 5f 43 6c 69 65 6e 74 53 69 7a 65 5f 5f 3e 31 30 39 32 31 30 30 33 3c 2f 5f 5f 43 6c 69 65 6e 74 53 69 7a 65 5f 5f 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><body>The client size is <__ClientSize__>10921003</__ClientSize__></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49707	8.18.62.6	443	3624	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 04:25:22 UTC	225	OUT	GET /as/wapi/get_client?client_type=0&client=pc&myrand11262017=1s4z4AVItfvg3fyyYjjDdD6L2c347284&rdm=1713420884 HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: support.lockwoodbroadcast.com Connection: Keep-Alive
2024-04-18 04:25:23 UTC	245	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 00:25:22 GMT Cache-Control: no-store CAccept-Ranges: bytes Content-Type: application/octet-stream Last-Modified: Thu, 18 Apr 2024 00:25:22 GMT Content-Length: 10921003 X-Frame-Options: SAMEORIGIN
2024-04-18 04:25:23 UTC	14100	IN	Data Raw: 0f 00 00 00 43 6c 69 65 6e 74 44 61 74 61 62 61 73 65 00 c0 02 00 00 a4 01 78 9c ed 58 61 6b d3 40 18 de 88 3f a0 5d ee 12 06 ab 74 ba 16 c6 14 99 bd 0f 13 56 e8 50 eb 87 ac b8 a8 d5 5a 19 bb 96 92 80 30 e8 b5 a4 4d 93 e5 3f 38 c7 ec 37 ff 9b fe 01 7f 81 e2 25 4d ba 5c 93 26 55 c4 2a bd 07 12 2e f7 de 73 ef 7b ef 3d 2f 5c ee d9 d3 86 83 09 ea 65 00 84 e0 15 42 b7 d6 d6 d7 d7 2a f9 3c 00 20 e7 3f 01 44 fa 64 42 df 10 a4 23 07 1e 7d ff 91 a5 0d 49 fe ea 7d cb df 26 0d 0e 0e 8e 25 62 c3 2d e5 ac b4 e9 b6 69 93 d6 e5 97 25 47 c4 c1 c1 f1 37 20 5f 5d c8 60 4b 86 32 c8 05 f5 cf c1 c1 b1 7a e0 f5 cf c1 b1 ba 70 eb 1f c2 63 00 8f e9 eb 9f c2 f5 03 28 0a e5 32 fc 54 c0 c6 c0 24 43 d3 21 16 56 74 82 b1 63 f5 d9 2f e9 4d 55 ad 57 54 54 a9 bf 6e a8 88 b5 a1 c3 db c8 Data Ascii: ClientDatabasexXak@?]tVPZ0M?87%M\&U.s{=/\eB< ?DdB#}I}&%b-i%G7 _]`K2zpc(2T$C!Vtc/MUWTTn
2024-04-18 04:25:23 UTC	14338	IN	Data Raw: 18 6b 52 f3 7f 7a 1f d4 85 ff 2e 10 a9 ef 91 6b 08 d7 9e 8d 05 7f 26 6f 36 c5 f5 47 c2 3e c1 dc 39 4b d4 4a fb 51 de ef e9 7b fa f3 83 71 39 37 e8 e9 e4 d5 4b a6 f7 c2 f0 fe fc a2 e0 59 e3 9a 82 ef 8b 58 6b 52 f7 ae 87 73 5e f2 57 d1 c9 3b fc 85 f4 73 2c cb b7 26 38 fb 14 3e ef c6 d7 a4 ee 6f 24 af dd 27 84 cf 06 d4 4a df 62 d0 da 73 2c 79 ef 35 66 cd 2d 85 97 51 d8 67 a9 c6 9f 88 ff 7f ea 1e 85 99 55 e6 02 e9 19 dd f4 77 56 24 cb 50 83 e3 29 59 93 96 c6 bb 95 15 53 fe ae 9e 96 62 e6 aa a7 95 75 5c a7 62 2e 6c f6 9d 60 8d c1 15 6e 6a 26 cd 7b 1f 2e ab 6e 7e 99 fe 67 9c d9 df e1 91 5c 1d a6 9f 1b 52 83 e3 a4 3e fc 84 7e 4e c6 b1 95 3d b7 24 6b 62 8a aa a6 f9 27 fd 6d 44 79 c7 ef ff 63 f5 ca fc 06 92 bc f7 e9 72 d4 27 fd bd 41 a9 ef ae 4a bd 49 50 1b cc 54 Data Ascii: kRz.k&o6G>9KJQ{q97KYXkRs^W;s,&8>o$'Jbs,y5f-QgUwV$P)YSbu\b.l`nj&{.n~g\R>~N=$kb'mDycr'AJIPT
2024-04-18 04:25:23 UTC	3306	IN	Data Raw: 6d 8f 07 97 db 3c 26 78 83 ca 7d ec 58 70 7f f8 ef 2c b7 41 65 fe 91 28 77 c7 13 2f bd dc bb 9f 08 2e 37 95 f5 c8 13 bf 3f e5 ee 38 6d 51 e8 00 80 78 cf 58 ba 28 d4 01 20 fa 0d 2b 16 85 0a 80 a3 80 58 23 60 d5 a2 d0 c1 55 22 dc d1 75 08 b7 1e 6e 80 1e e7 c0 06 d0 6a 81 5f 2b e2 02 62 1b e1 06 1c 02 1c 3f 7b 91 33 46 b7 ad 86 df 2b 81 5f 03 7a e7 2c 0a 1d 01 1c 7a b3 c8 c7 b1 37 bb 34 0f 1d 40 3c 80 f1 56 84 05 1c 7a ab 9b 8f e3 6f 75 e3 1c b8 c5 9b 8f a3 b7 b8 79 3f fe 61 37 ce ec 5f 68 e9 cc ba 71 76 e3 bd ed 33 6e 3a b3 77 bb 71 cc 3b 44 1c fa c6 77 e4 b3 be 74 ee 41 b8 c3 a0 47 f0 39 2d 0e ad 09 c8 74 0a c7 dc 38 1d 3f 84 1f 60 f6 09 c4 ff 11 d2 7c d2 8d 73 e8 29 37 6f b1 e7 bc e9 1c 7a 4e e4 ed d0 f3 78 fe 46 8b 83 77 9a 57 74 5c b5 38 b4 1b 70 e8 ca Data Ascii: m<&x}Xp,Ae(w/.7?8mQxX( +X#`U"unj_+b?{3F+_z,z74@<Vzouy?a7_hqv3n:wq;DwtAG9-t8?`\|s)7ozNxFwWt\8p
2024-04-18 04:25:23 UTC	14338	IN	Data Raw: e2 5e 5d a6 79 e5 a0 0e bb a4 55 d8 56 29 23 82 c3 34 73 ce 82 fd 05 ae dd 08 fe 0e 4f d2 8b e4 d3 b9 1c ee 5c ce 45 cc e1 55 ef 3e 51 ff 17 87 bc 94 b1 7a dc ca f3 a0 95 7e f4 ab 77 34 a0 09 ae d9 2c cb 6c 95 ae a8 99 b4 cc a7 2e 67 6c 96 bc 6a c7 4c 4e 8e ef 6a a5 ce dd c1 a1 d6 e9 d3 ac 1d 05 69 ba fe d3 34 ed 9c 7f d5 12 cd 68 97 cd f8 6b e5 ff 6d 99 27 43 1b b7 2a c3 78 cb 95 65 2e a2 7c af 71 be 6e 89 31 c6 5d 25 aa ac e1 b4 23 8b a7 8d 8c 67 9d 52 5f 03 d1 4f 18 b9 23 9a bb 62 5f 6d 5e e7 ae 6f 51 69 eb d1 13 84 8e 18 d3 38 41 d4 80 57 2f 75 f1 02 eb 96 52 2f 8b 68 27 35 d7 d5 57 53 95 5e 9b 31 52 4e ce 83 57 62 dd f5 77 ff 0a ac e5 94 d2 6b 5d c1 6d fd e0 79 a4 be 2a bb 81 7b 77 9e e3 28 2d db 9f 72 7d 8d 79 b1 db 7b bc ab 83 39 43 ed 89 50 6b 3b Data Ascii: ^]yUV)#4sO\EU>Qz~w4,l.gljLNji4hkm'Cxe.\|qn1]%#gR_O#b_m^oQi8AW/uR/h'5WS^1RNWbwk]my{w(-r}y{9CPk;
2024-04-18 04:25:23 UTC	14338	IN	Data Raw: 7c 6e 96 cf 2d f2 c9 07 ae 23 f1 f8 50 dc 55 4e 7a e3 6b ea 8d 9d e1 f8 60 74 b0 b7 dd 14 f7 4f f2 5c 9a c7 01 69 99 3e 29 44 8d 25 83 1b 9d a4 7f 8b 09 b7 09 35 29 65 76 6e 6a 67 c3 ba 17 93 ea 9a 4d 8e 5b d9 31 cc 10 2f a6 1e 1e 29 64 a0 2f cb 60 9b a1 b6 f2 32 36 07 ec 8f 74 62 e4 59 47 eb 0a eb 2b c3 6e 09 08 4b 33 d8 8b 85 dc a8 cc c3 d6 aa 79 18 81 c6 35 91 21 93 24 fd e4 cf 92 67 d8 9d 5b 0a 19 48 2a ab dc 22 5e cf 7d 3e e9 1e 8e f7 21 bb 78 6d 91 6a 2a 40 f5 a4 13 a6 ee 54 88 be 8d 52 16 e3 9b 4c b1 09 ae 9d 27 24 17 53 18 f1 99 4c 96 47 85 db 2c 03 b4 55 c1 6f a9 42 c0 a7 6d 52 95 60 b4 80 da 8e 06 8b 0b fd 3d 6d 32 63 f1 a2 98 2a a6 31 90 b1 53 03 49 7b 0f 84 16 ed eb 96 f2 4e 86 6f b6 3d 81 7b 8a de 90 bd 3e 37 7d df 8f a5 84 5b 9c 94 88 b1 58 Data Ascii: \|n-#PUNzk`tO\i>)D%5)evnjgM[1/)d/`26tbYG+nK3y5!$g[H"^}>!xmj@TRL'$SLG,UoBmR`=m2c*1SI{No={>7}[X
2024-04-18 04:25:23 UTC	3068	IN	Data Raw: 83 f7 de 53 d6 6a 7a 61 23 9f 17 90 c8 7f cd ab bc a7 bd 9d c4 ce 9b 3a e0 f2 43 ae fd 5a 75 e0 b5 e7 be fa 9f 5e fb ce 76 83 6b 1f cd af 3d 42 9b c2 a7 0e 27 c9 b6 74 b4 13 c8 bf 9d aa 48 7e 3b fe 2c 13 c6 bd 33 d8 8d 01 da 86 d9 ba d5 4b 0f ad 85 cc a2 e3 78 bf e0 27 29 b3 cc 9e 86 6b 1d ea db ff e4 4f 98 d0 bb 2e cc 7b 65 32 a3 aa af 90 fb 2a 1f 48 c3 09 e4 c2 5a bd 1d 74 c0 30 e6 bf 38 f2 d4 f1 90 41 de 7c f4 8b f9 4c ff dc 67 69 41 bf e2 02 95 ca ba c7 b5 db 13 2c d1 0f d5 33 68 93 7e 1f 61 1d 7e 3f 29 9e fa c1 b3 4c ab ed 7e 5f 3c df 4a c2 a7 1e e0 5b 47 90 f7 14 0d a5 ef a0 17 83 d4 b5 3b d8 d6 32 67 fd 16 53 78 e7 43 6a f1 0e cd d1 cd dc 42 8e ae 59 1d 3b 89 1c dd fa 70 a8 4d e7 8f d4 99 7c f7 95 5a 53 76 4a da 51 5f df c6 c6 81 fa 31 38 2c 4f f6 Data Ascii: Sjza#:CZu^vk=B'tH~;,3Kx')kO.{e2*HZt08A\|LgiA,3h~a~?)L~_<J[G;2gSxCjBY;pM\|ZSvJQ_18,O
2024-04-18 04:25:23 UTC	14338	IN	Data Raw: a1 55 36 75 3e ab 7f 00 2d df 1e f0 67 f4 e4 63 ae bd a1 0f 7a dc 27 6f e8 75 28 5b 69 fc 7a 73 36 ba 9f 5a fe 03 0d 10 a6 0d f4 1c e4 34 28 9b bb cf bf b5 07 1d 5a 9d bc 11 17 cf 0e a4 f3 71 6a ef 9b 8b 70 82 43 9d c3 cf 58 ff 21 1d dd eb df 2a 8d a0 87 93 36 4a fc e9 cb 90 67 d4 e8 41 a4 ec bc 7c 54 fb 59 9c 4d 89 bf 59 4a 04 4e 55 23 49 a6 7a 3d 01 9e 76 b2 b2 b5 39 8a 3d cc 3b b6 fc f0 69 fa 4f 4b ee 28 f5 d8 5f 51 7a af d0 76 94 5d 1f fa c4 e1 16 d8 69 32 3b f4 78 25 3b 6c 60 92 90 01 64 f8 cd 32 a4 94 e7 a0 94 e9 b2 e9 9a 49 0b d8 9b 9c e2 72 6f 05 53 de ea 8d 60 ef 8b c9 95 eb 23 98 87 b1 b5 14 7f d3 94 ac 9e c6 ca f5 33 b5 09 fb d6 2d f8 63 9c 8e d7 38 9d 9b 07 a5 53 2d d2 29 d7 d2 71 19 a4 53 33 38 1d 7a f2 e5 9b 7c 4c b4 cf b9 46 2a 1f aa 5f 37 Data Ascii: U6u>-gcz'ou([izs6Z4(ZqjpCX!6JgA\|TYMYJNU#Iz=v9=;iOK(_Qzv]i2;x%;l`d2IroS`#3-c8S-)qS38z\|LF_7
2024-04-18 04:25:23 UTC	14338	IN	Data Raw: 92 7f e7 68 5a 7b 3d aa 26 ca 80 04 09 7f bb 16 63 a9 e0 11 9a cf 43 c5 0c 34 51 50 21 39 d8 a8 a7 c4 04 43 17 3a 30 f1 d7 a1 c4 37 a3 bc 76 85 af 30 51 09 25 da a3 4b 7e 03 89 ed 8f 68 78 cd 9d 0b fa f4 29 b4 df 8e 9a 8f 50 17 0c 91 da 85 73 98 77 32 82 4a 4f 34 84 3a 16 2e 60 a2 db 90 68 88 9a 2c 5c c6 c4 c4 48 e2 d6 e8 10 d9 82 09 58 80 f6 bf 5f 89 a4 1f 8c 4e b7 60 7a 23 a6 13 a8 12 e0 a7 fa 36 86 ff df 66 28 d3 14 5d a6 1f 96 79 de 90 de 19 9d 6e c7 f4 25 86 74 67 34 64 1c 98 5e 7a 25 04 99 bf 22 64 06 c5 85 21 b3 b5 3b ba ba 21 98 dd 6d a8 6e 6d 74 7a 32 a6 5b 0d e9 ee e8 e6 86 63 fa 99 cb 91 74 6b 74 fa 08 4c 3f 68 48 6f 8d ae 7f 14 a6 6f 8e a4 1b e3 f3 0b 6e 4c 5c 65 28 6c 8a ae fc 06 4c 7f 98 d2 f1 da b3 f2 a8 10 ca 14 1a 1a 78 e7 2e 4b 19 da e5 Data Ascii: hZ{=&cC4QP!9C:07v0Q%K~hx)Psw2JO4:.`h,\HX_N`z#6f(]yn%tg4d^z%"d!;!mnmtz2[ctktL?hHoonL\e(lLx.K
2024-04-18 04:25:23 UTC	3068	IN	Data Raw: e6 bc f8 36 b0 b3 2a 9b e6 6b 63 3e 07 ec 6f cc 6f e2 03 b4 e1 ae c0 4c 8b 3e 17 6e 0b 5c ab c5 4e ad ba 43 53 ba b4 7a ae 55 1d 43 74 3a 3d 4b 72 95 e1 9e 07 1d ca 10 8f df 69 5d 83 4a 14 b5 51 60 ef 18 2b 3f 1e f1 ed f3 c7 ea 6c c0 ab f9 e7 06 03 f1 a5 76 5c ec 83 7d de 62 9b 7c ab 5a ef 34 58 d7 6c 21 ac 1e 65 87 91 4b 65 68 6b 39 b1 03 d8 9b 25 22 1e fe 0b 88 fd 99 36 4f f9 51 eb 6a 24 71 ea 19 4b ad 29 6c 59 50 81 bc a3 9f af ef a0 85 c5 66 e6 b2 62 89 18 bc 22 a3 56 9c 1b b5 c4 8a 5d 9e 62 57 6d 36 2b b6 14 6a c5 ae fb 66 ba f2 23 4a 0f 5b e8 64 55 c7 60 1f ce 55 9b 3a 4c b0 ef 39 3b 57 e1 c7 90 01 4a a7 36 d3 01 62 40 a5 13 3e 4f 50 93 fa 8e 98 72 5c 2b ce d3 2a 27 b1 4b 2a 53 96 62 7b 22 21 6e 7c 39 6e fa 9d 58 8e b9 a9 ce 96 80 53 58 84 e5 e7 61 Data Ascii: 6kc>ooL>n\NCSzUCt:=Kri]JQ`+?lv\}b\|Z4Xl!eKehk9%"6OQj$qK)lYPfb"V]bWm6+jf#J[dU`U:L9;WJ6b@>OPr\+'K*Sb{"!n\|9nXSXa
2024-04-18 04:25:23 UTC	14338	IN	Data Raw: 2b 80 57 9c 5e e3 29 19 ae 4c 5d b9 62 84 51 b9 c1 fa a7 12 8b fa a8 7a de 20 4f b4 6e 2e 71 98 80 23 3a 0f df b1 d9 92 a9 4c f2 96 1f af 33 69 e5 c7 59 c9 c8 32 13 86 d3 f4 fa f8 32 13 c0 b6 fe b1 64 44 a9 a9 4f 6d 19 89 dd 85 56 6a 5f 86 51 a1 a1 c9 30 f4 c3 2c 1e 89 aa d4 8e a4 67 21 53 7a 26 ee 61 2d 5a f9 a1 a6 2e 60 56 ae 32 b5 f1 fd 18 39 ae 13 86 88 66 1c ff 43 a4 e7 78 64 66 1e ab 3f 06 24 b0 58 42 bd 7a 9d 13 15 7a 95 2e ad d2 a2 15 db b4 4a 3b 74 4c 9b 99 ab d5 1f a3 71 dc 55 e3 09 0c 57 aa 69 1c 41 1c 07 2b ef 65 f3 56 9d 07 44 95 60 3a a6 12 47 dd 0d ac 8f 55 9f 77 ef 06 89 b7 58 1a 35 d3 c2 aa 7b 34 93 36 d3 0c 5c 05 6c cc 2c 68 47 dd 69 c3 71 97 6a d5 3d c0 00 1c 84 e6 01 0a 02 d3 00 92 fb 60 da 40 a1 61 18 6b 7d 57 ed 4a e6 3b 04 e3 2d c4 Data Ascii: +W^)L]bQz On.q#:L3iY22dDOmVj_Q0,g!Sz&a-Z.`V29fCxdf?$XBzz.J;tLqUWiA+eVD`:GUwX5{46\l,hGiqj=`@ak}WJ;-

Target ID:	0
Start time:	06:25:20
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe"
Imagebase:	0xe00000
File size:	790'064 bytes
MD5 hash:	8745C960022BCEFFF65C91A47374A169
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:25:31
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe"
Imagebase:	0xca0000
File size:	688'888 bytes
MD5 hash:	8FCA72C59D3A9AA6EDA33C64DAA0296D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:15:01
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe" --program C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt
Imagebase:	0xad0000
File size:	18'097'912 bytes
MD5 hash:	D973EE70262ADF0A3D8AC412964517F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	08:15:02
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
Wow64 process (32bit):	true
Commandline:	TurboMeeting.exe --MagDetect
Imagebase:	0xad0000
File size:	18'097'912 bytes
MD5 hash:	D973EE70262ADF0A3D8AC412964517F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:15:05
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
Wow64 process (32bit):	true
Commandline:	TurboMeeting.exe --VSEDetect
Imagebase:	0xad0000
File size:	18'097'912 bytes
MD5 hash:	D973EE70262ADF0A3D8AC412964517F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17%
Total number of Nodes:	2000
Total number of Limit Nodes:	68

Executed Functions

Function 00E72440 Relevance: 109.1, APIs: 30, Strings: 32, Instructions: 640
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetSetOptionA.WININET(00000000,00000049,0000000A,00000004), ref: 00E7254E
InternetSetOptionA.WININET(00000000,0000004A,0000000A,00000004), ref: 00E72561
InternetOpenA.WININET(Microsoft Internet Explorer,00000003,?,?,00000000), ref: 00E72618
InternetSetOptionA.WININET(00000000,00000002,?), ref: 00E7263F
WSAGetLastError.WS2_32 ref: 00E72649
InternetSetOptionA.WININET(?,00000006,00015F90,00000004), ref: 00E72694
WSAGetLastError.WS2_32 ref: 00E7269E
InternetSetOptionA.WININET(?,00000005,00015F90,00000004), ref: 00E726E9
WSAGetLastError.WS2_32 ref: 00E726F3
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E727B9
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00E727C6

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

HttpOpenRequestA.WININET(?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00E7284D
WSAGetLastError.WS2_32 ref: 00E7285A
InternetQueryOptionA.WININET(?,0000001F,?,?), ref: 00E728CD
InternetSetOptionA.WININET(?,0000001F,00003380,00000004), ref: 00E728EB
HttpSendRequestA.WININET(?,?,?,?,?), ref: 00E72982
HttpSendRequestA.WININET(?,00000000,00000000,00000000,00000000), ref: 00E7299B
WSAGetLastError.WS2_32 ref: 00E729A5

Strings

HR::DoRequest succeeded! Read1 Completed!, xrefs: 00E72C6B
Recv lTimeout=%d, error code: %d, error: %s, xrefs: 00E726B7
HR::DoRequest, xrefs: 00E724EF, 00E72594, 00E72673, 00E726C8, 00E7271D, 00E72747, 00E727EA, 00E72813, 00E7288D, 00E729D8, 00E72A4A, 00E72A87, 00E72ACF, 00E72B26, 00E72B64, 00E72C31, 00E72CC2, 00E72D00
after HR, xrefs: 00E7287C
I-Open failed error code: %d, error: %s, xrefs: 00E72D74
failed to connect. error code: %d, error: %s, xrefs: 00E727D9
after IRF, xrefs: 00E72ABE
HR::DoRequest succeeded! m_iExpectedReceiveSize = %d, m_bUseMinReadBuffer = %s, xrefs: 00E72B53
after HSR, xrefs: 00E729C7
HR::DoRequest succeeded! Read2 Completed!, xrefs: 00E72CB1
(, xrefs: 00E72BA2
Send lTimeout=%d, error code: %d, error: %s, xrefs: 00E7270C
HSR resend -- ERROR_INTERNET_FORCE_RETRY failed error code: %d, error: %s, xrefs: 00E72B15
Invalid page returned: %s, xrefs: 00E72CF0
Microsoft Internet Explorer, xrefs: 00E72613
HSR failed. error code: %d, error: %s, xrefs: 00E729B8
IRE() error code: %d, error: %s, xrefs: 00E72C5C, 00E72CA2
Skip 127.0.0.1, xrefs: 00E724DF
POST, xrefs: 00E728FE
failed to open-r: error code: %d, error: %s, xrefs: 00E7286D
after IC, xrefs: 00E72802
after HQI, xrefs: 00E72A39
Begin HR::DoRequest(), sIP = %s, iPort = %d, cPType=%c, sByPass=%s, sPAddress=%s, URL=%s, xrefs: 00E72583
after HQI troubled dwCode = %d, xrefs: 00E72A76
after ISO lTimeout = %d, xrefs: 00E72736
%s&rdm=%ld, xrefs: 00E7278E
HQ() failed error code: %d, error: %s, xrefs: 00E72A2A
%s?rdm=%ld, xrefs: 00E72795
c:\rhub2\code\hlib\hlib.cpp, xrefs: 00E724E9, 00E7258D, 00E7266C, 00E726C1, 00E72716, 00E72740, 00E727E3, 00E7280C, 00E72886, 00E729D1, 00E72A43, 00E72A80, 00E72AC8, 00E72B1F, 00E72B5D, 00E72C2A, 00E72CBB, 00E72CFA
InternetReadFile() iSizeToRead = %d, xrefs: 00E72C20
Conn lTimeout=%d, error code: %d, error: %s, xrefs: 00E72662
127.0.0.1, xrefs: 00E7247B

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Internet$Option$ErrorLast$HttpRequest$CriticalOpenSectionSend$ConnectEnterLeaveQuery
String ID: %s&rdm=%ld$%s?rdm=%ld$($127.0.0.1$Begin HR::DoRequest(), sIP = %s, iPort = %d, cPType=%c, sByPass=%s, sPAddress=%s, URL=%s$Conn lTimeout=%d, error code: %d, error: %s$HQ() failed error code: %d, error: %s$HR::DoRequest$HR::DoRequest succeeded! Read1 Completed!$HR::DoRequest succeeded! Read2 Completed!$HR::DoRequest succeeded! m_iExpectedReceiveSize = %d, m_bUseMinReadBuffer = %s$HSR failed. error code: %d, error: %s$HSR resend -- ERROR_INTERNET_FORCE_RETRY failed error code: %d, error: %s$I-Open failed error code: %d, error: %s$IRE() error code: %d, error: %s$InternetReadFile() iSizeToRead = %d$Invalid page returned: %s$Microsoft Internet Explorer$POST$Recv lTimeout=%d, error code: %d, error: %s$Send lTimeout=%d, error code: %d, error: %s$Skip 127.0.0.1$after HQI$after HQI troubled dwCode = %d$after HR$after HSR$after IC$after IRF$after ISO lTimeout = %d$c:\rhub2\code\hlib\hlib.cpp$failed to connect. error code: %d, error: %s$failed to open-r: error code: %d, error: %s
API String ID: 157584972-963015178
Opcode ID: 0e268485d21e8108889f99e99826fcbbb2767676cdcf1b0ba49dc8c5472e90fe
Instruction ID: 4742bf8b5d77563e9bfa4c3f223709e1063d9d0ab9ce6d8bfb20cba1da955ea5
Opcode Fuzzy Hash: 0e268485d21e8108889f99e99826fcbbb2767676cdcf1b0ba49dc8c5472e90fe
Instruction Fuzzy Hash: D032F771A40305BFEB219F20DC06FFA7779AF15704F046194FA0DB62D2D7B26A898B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E01596 Relevance: 77.5, APIs: 16, Strings: 28, Instructions: 477
windownetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32(00E01C65,904898A6,?,?,?,?,00E75578,000000FF), ref: 00E015CF
#17.COMCTL32(?,?,?,?,00E75578,000000FF), ref: 00E015D5

Part of subcall function 00E264C7: __EH_prolog3.LIBCMT ref: 00E264CE

_wprintf.LEGACY_STDIO_DEFINITIONS ref: 00E0160C
GetClassInfoW.USER32(?,#32770,?), ref: 00E01684
WSAStartup.WS2_32(00000101,?), ref: 00E01728

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 00E01811
_strlen.LIBCMT ref: 00E01894
_strlen.LIBCMT ref: 00E018B4

Part of subcall function 00E0AD00: _strstr.LIBCMT ref: 00E0AD50

Part of subcall function 00E01486: _strlen.LIBCMT ref: 00E0149D

GetModuleFileNameW.KERNEL32(00000000,?,00000200,00E7B918), ref: 00E01A0C

Part of subcall function 00E16610: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000,?,00003829,?,?,00E017B0,?,00000000,00001000), ref: 00E16644
Part of subcall function 00E16610: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,00E017B0,?,00000000,00001000,?,?), ref: 00E16661

PathStripPathW.SHLWAPI(?), ref: 00E01A30
_strstr.LIBCMT ref: 00E01A81
_strstr.LIBCMT ref: 00E01A9B
_strlen.LIBCMT ref: 00E01AF4
LoadImageW.USER32(00000086,00000001,00000010,00000010,00008000), ref: 00E01BE3
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E01BFC
PostMessageW.USER32(?,?,?,?), ref: 00E01C5B

Strings

invalid sCurrentFileName = %s, xrefs: 00E01AAF
No Meeting Parameter, sClientName = %s, xrefs: 00E01B48
Failed to open this exe file, xrefs: 00E01983
m_lpCmdLine = %s, xrefs: 00E017BA
2..., xrefs: 00E01625
Invalid setting, xrefs: 00E0193D
PCSetupApp::InitInstance(), xrefs: 00E016CE, 00E017C7, 00E01843, 00E01962, 00E01990, 00E01A50, 00E01A69, 00E01ABB, 00E01B54
sCurrentFilePath = %s, sCurrentFileName = %s, xrefs: 00E01A5D
V&&VI***DDDD111111###!!!!#####$$$%%@@@UUUU, xrefs: 00E01888, 00E01893, 00E0189B, 00E018AF
CTMeeting, xrefs: 00E01B8B
#32770, xrefs: 00E0167B
TMSetupWindow, xrefs: 00E01695, 00E0169B, 00E016C0
TMSetup.txt, xrefs: 00E01631
starter, xrefs: 00E01A95
1..., xrefs: 00E01607
Ymeetee, xrefs: 00E01BB5
PK, xrefs: 00E0161C, 00E0163E, 00E016D3, 00E017CC, 00E01848, 00E01967, 00E01995, 00E01A6A, 00E01ABC, 00E01B55
TMSetup, xrefs: 00E015F8
sCurrentFilePath = %s, xrefs: 00E01836
3..., xrefs: 00E0164D
c:\rhub2\pcsetup\pcsetup.cpp, xrefs: 00E016C8, 00E017B4, 00E017C4, 00E01840, 00E01928, 00E0195A, 00E0195F, 00E0198D, 00E01A67, 00E01AB9, 00E01B52
</__OEMId__>, xrefs: 00E01B6F
Starter, xrefs: 00E01A7B
<__OEMId__>, xrefs: 00E01B7A
Failed to find parameters, xrefs: 00E01950
Local AppWizard-Generated Applications, xrefs: 00E015EC
Valid sSetting, xrefs: 00E01931
AfxRegisterClass failed for %s, xrefs: 00E016C1

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _strlen$_strstr$ByteCharCriticalFileMessageModuleMultiNamePathSectionWide$ClassEnterExceptionFilterH_prolog3ImageInfoLeaveLoadPostSendStartupStripUnhandled_wprintf
String ID: #32770$1...$2...$3...$</__OEMId__>$<__OEMId__>$AfxRegisterClass failed for %s$CTMeeting$Failed to find parameters$Failed to open this exe file$Invalid setting$Local AppWizard-Generated Applications$No Meeting Parameter, sClientName = %s$PCSetupApp::InitInstance()$PK$Starter$TMSetup$TMSetup.txt$TMSetupWindow$V&&VI***DDDD111111###!!!!#####$$$%%@@@UUUU$Valid sSetting$Ymeetee$c:\rhub2\pcsetup\pcsetup.cpp$invalid sCurrentFileName = %s$m_lpCmdLine = %s$sCurrentFilePath = %s$sCurrentFilePath = %s, sCurrentFileName = %s$starter
API String ID: 3870634492-1026966788
Opcode ID: 544e5392850c0f7194d484608c3a2864bdad3f9786e36bbd825ed7ea6cad8d91
Instruction ID: 020d59d1cfe2fac50b1f7c6e7ba5d00cf1dcdec659ed3ab25fb40951bb6cf293
Opcode Fuzzy Hash: 544e5392850c0f7194d484608c3a2864bdad3f9786e36bbd825ed7ea6cad8d91
Instruction Fuzzy Hash: 78029371940318AFDB24EB60DC8AFDA77B8AB04704F0454E9F519B71D2DBB09AC4CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00E70F20 Relevance: 77.4, APIs: 3, Strings: 41, Instructions: 369
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000200,00000000,?,?,00000000), ref: 00E713EF
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000200,00000000,00000000,00000000,00000000,004BEC50,?,?,00000000), ref: 00E71429
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00EB0A00,00000000,00000000,00000000,?,?,00000000), ref: 00E71450

Strings

Cannot assign requested address., xrefs: 00E7116C
Winsock.dll version out of range., xrefs: 00E7131C
Network is down., xrefs: 00E71187
Too many open files., xrefs: 00E70FD7
Operation now in progress., xrefs: 00E7100D
Bad protocol option., xrefs: 00E710AF
Too many processes., xrefs: 00E712E6
Successful WSAStartup not yet performed., xrefs: 00E71337
Network dropped connection on reset., xrefs: 00E711BD
Interrupted function call., xrefs: 00E70F6B
Invalid argument., xrefs: 00E70FBC
Address already in use., xrefs: 00E71151
Host is down., xrefs: 00E712B0
Message too long., xrefs: 00E71079
No buffer space available., xrefs: 00E7120E
Permission denied., xrefs: 00E70F86
Valid name, no data record of requested type., xrefs: 00E71481
Protocol family not supported., xrefs: 00E7111B
Operation already in progress., xrefs: 00E71028
Connection reset by peer., xrefs: 00E711F3
Connection timed out., xrefs: 00E7127A
Protocol not supported., xrefs: 00E710CA
Destination address required., xrefs: 00E7105E
Cannot send after socket shutdown., xrefs: 00E7125F
Bad address., xrefs: 00E70FA1
MySocket operation on nonsocket., xrefs: 00E71043
MySocket is not connected., xrefs: 00E71244
Address family not supported by protocol family., xrefs: 00E71136
MySocket is already connected., xrefs: 00E71229
Connection refused., xrefs: 00E71295
Software caused connection abort., xrefs: 00E711D8
Nonauthoritative host not found., xrefs: 00E714BE
Operation not supported., xrefs: 00E71100
MySocket type not supported., xrefs: 00E710E5
Protocol wrong type for socket., xrefs: 00E71094
Network is unreachable., xrefs: 00E711A2
No route to host., xrefs: 00E712CB
Resource temporarily unavailable., xrefs: 00E70FF2
This is a nonrecoverable error., xrefs: 00E7149C
Network subsystem is unavailable., xrefs: 00E71301
Host not found., xrefs: 00E71388

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$FormatMessage
String ID: Address already in use.$Address family not supported by protocol family.$Bad address.$Bad protocol option.$Cannot assign requested address.$Cannot send after socket shutdown.$Connection refused.$Connection reset by peer.$Connection timed out.$Destination address required.$Host is down.$Host not found.$Interrupted function call.$Invalid argument.$Message too long.$MySocket is already connected.$MySocket is not connected.$MySocket operation on nonsocket.$MySocket type not supported.$Network dropped connection on reset.$Network is down.$Network is unreachable.$Network subsystem is unavailable.$No buffer space available.$No route to host.$Nonauthoritative host not found.$Operation already in progress.$Operation not supported.$Operation now in progress.$Permission denied.$Protocol family not supported.$Protocol not supported.$Protocol wrong type for socket.$Resource temporarily unavailable.$Software caused connection abort.$Successful WSAStartup not yet performed.$This is a nonrecoverable error.$Too many open files.$Too many processes.$Valid name, no data record of requested type.$Winsock.dll version out of range.
API String ID: 928994880-24440330
Opcode ID: bc4be27d0e6bec269580cad1c234d902d056fddadc3510a96ed5e7f1a807f92e
Instruction ID: f6eb757624e0c77290343838ebcace48129e1cc1949e6c8e489eea5c4fbc2eeb
Opcode Fuzzy Hash: bc4be27d0e6bec269580cad1c234d902d056fddadc3510a96ed5e7f1a807f92e
Instruction Fuzzy Hash: F0C195E57005000BEF38E728E417BAE73D4BBD8704FC9545AA35EBA3D1E9789942C58E

Uniqueness

Uniqueness Score: -1.00%

Function 00E082A0 Relevance: 72.3, APIs: 6, Strings: 35, Instructions: 581
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

GetTempPathW.KERNEL32(00000200,?), ref: 00E08348
Sleep.KERNEL32(000007D0), ref: 00E08496

Part of subcall function 00E16680: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,00E016A1,TMSetupWindow,?,00000200,?,?,?,?,00E75578,000000FF), ref: 00E1669A

CopyFileW.KERNEL32(?,?,00000000), ref: 00E08659
ShellExecuteExW.SHELL32(0000003C), ref: 00E08836

Part of subcall function 00E13BD0: GetVersionExW.KERNEL32(00000000), ref: 00E13C03
Part of subcall function 00E13BD0: GetVersionExW.KERNEL32(00000000), ref: 00E13C18

GetLastError.KERNEL32 ref: 00E088AB
GetFileAttributesW.KERNEL32(?), ref: 00E0895B

Part of subcall function 00E0EEE0: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,Function: ,0000000B,?,?,?,00E7B918,00000000,?), ref: 00E0F484
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?), ref: 00E0F4B1

Strings

MXmeeting, xrefs: 00E08717, 00E088D6
runas, xrefs: 00E08802
m_sSetupDirectory: %s, xrefs: 00E082C3
%s\%s.exe, xrefs: 00E08915, 00E0899A
ShellExecuteEx() sInstaller = %s, xrefs: 00E08847
StartProcess(sStartProcess = %s, m_sSetupDirectory = %s), xrefs: 00E08A55
It is MXmeeting, xrefs: 00E0874D
--called_by_downloader, xrefs: 00E0843E
open, xrefs: 00E087F3
%s\%s\%s, xrefs: 00E085F1
--client_name, xrefs: 00E08439
rsp1024hcmd.txt, xrefs: 00E0839B, 00E08506
<__WorkingDirectory__>%s</__WorkingDirectory__>, xrefs: 00E086AA
m_bCalledByClientToSyncVersion is true, xrefs: 00E085B9
"%s" %s %s %s, xrefs: 00E08450
@, xrefs: 00E087F8
%s\%s, xrefs: 00E083AD, 00E08512, 00E08620, 00E08779, 00E0892E
TMServiceCache.txt, xrefs: 00E085DA, 00E08614
\, xrefs: 00E0837D
<, xrefs: 00E087CE
m_bIsV4Client is true. Exit now, xrefs: 00E0849C
m_bCalledByClientToSyncVersion is false, xrefs: 00E086ED
m_bIsV4Client is false., xrefs: 00E084E5
c:\rhub2\code\setuphandler\setuphandler.cpp, xrefs: 00E082CD, 00E08418, 00E084A6, 00E084EF, 00E0857D, 00E085C3, 00E086D1, 00E086F7, 00E08757, 00E08851, 00E0888F, 00E088BC, 00E08977, 00E089B9, 00E08A5F
%s\WorkingDirectory.txt, xrefs: 00E08666
TMInstaller, xrefs: 00E0890F, 00E0898E
sInstaller = %s, xrefs: 00E089AF
TurboMeeting, xrefs: 00E085DF
Failed to open file to write: %s, xrefs: 00E0840E, 00E08573, 00E086C7
ShellExecuteEx() InstallService.exe failed, GetLastError() = %d, xrefs: 00E088B2
SetupHandler::CallToInstall, xrefs: 00E082D4, 00E0841F, 00E084AD, 00E084F6, 00E08584, 00E085CA, 00E086D8, 00E086FE, 00E0875D, 00E08858, 00E08896, 00E088C3, 00E0897E, 00E089C0, 00E08A66
"%s" %s, xrefs: 00E08A2E
It is XP, xrefs: 00E08885
TMLauncher.exe, xrefs: 00E0876D, 00E08928
Failed to find sInstaller = %s, xrefs: 00E0896D

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$ErrorFileLastLeaveVersion$AttributesByteCharCopyEnterExecuteMultiPathShellSleepTempWide
String ID: "%s" %s$"%s" %s %s %s$%s\%s$%s\%s.exe$%s\%s\%s$%s\WorkingDirectory.txt$--called_by_downloader$--client_name$<$<__WorkingDirectory__>%s</__WorkingDirectory__>$@$Failed to find sInstaller = %s$Failed to open file to write: %s$It is MXmeeting$It is XP$MXmeeting$SetupHandler::CallToInstall$ShellExecuteEx() InstallService.exe failed, GetLastError() = %d$ShellExecuteEx() sInstaller = %s$StartProcess(sStartProcess = %s, m_sSetupDirectory = %s)$TMInstaller$TMLauncher.exe$TMServiceCache.txt$TurboMeeting$\$c:\rhub2\code\setuphandler\setuphandler.cpp$m_bCalledByClientToSyncVersion is false$m_bCalledByClientToSyncVersion is true$m_bIsV4Client is false.$m_bIsV4Client is true. Exit now$m_sSetupDirectory: %s$open$rsp1024hcmd.txt$runas$sInstaller = %s
API String ID: 2599472297-669430992
Opcode ID: b7692abd5dd9a21913a86bbfb3da1d7f68efd8b5a439c350f6f15eb11222df2d
Instruction ID: 02a4c5c5dd49cc4ec48dc09f17243af9f0b94cbb9870f714f948ba27a38d743f
Opcode Fuzzy Hash: b7692abd5dd9a21913a86bbfb3da1d7f68efd8b5a439c350f6f15eb11222df2d
Instruction Fuzzy Hash: B502F8B1A403187AD721EB60DD87FDA73AD9B09704F4064E1F74CB61C2EBB16AC48B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E13110 Relevance: 70.6, APIs: 15, Strings: 25, Instructions: 623
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000200,?,?,?,?,00E09B9A,?,?,?,?,?,?,?,00000000), ref: 00E1321F
GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00E1323A
GetUserNameW.ADVAPI32(?,00000200), ref: 00E132B9
_strstr.LIBCMT ref: 00E133AC
_strstr.LIBCMT ref: 00E13416
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,?,?), ref: 00E1347C
SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,?), ref: 00E1353A
GetTempPathW.KERNEL32(00000200,?), ref: 00E135C5
GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00E135E0
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000005,00000000), ref: 00E1360A
SHGetFolderPathW.SHELL32(00000000,00000002,00000000,00000000,?), ref: 00E136B0
GetLongPathNameW.KERNEL32(00000000,00000010,00000000,00000000,?), ref: 00E13726
GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00E13743
SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,?), ref: 00E1376F
GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00E13786

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Part of subcall function 00E4405E: ___report_securityfailure.LIBCMT ref: 00E44063

Strings

MXmeeting, xrefs: 00E134E5, 00E13629
c:\rhub2\code\utility\utility.cpp, xrefs: 00E1326C, 00E1336D, 00E133E2, 00E1344A, 00E13490, 00E134CB, 00E1359E, 00E1382B, 00E13850, 00E13875, 00E1389A, 00E138BC, 00E138DE, 00E13917, 00E13950
sUserApplicationDirectory = %s, xrefs: 00E13890
WebMeeting, xrefs: 00E131A2
user application directory does not exist, xrefs: 00E13486
\, xrefs: 00E13580
bSystemUser = true, xrefs: 00E1393A
\.., xrefs: 00E1343A
Utility::GetUserDirectory(), xrefs: 00E13273, 00E13374, 00E133F5, 00E13453, 00E1349A, 00E134D2, 00E135A5, 00E13832, 00E13857, 00E1387C, 00E138A1, 00E138C3, 00E138E5, 00E1391E, 00E13957
bUserAppDirAccessable = false, xrefs: 00E1390D
sTempDirectory = %s, xrefs: 00E138B2
bUserAppDirAccessable = true, xrefs: 00E13901
sCurrentFilePath = %s, xrefs: 00E13262
bSystemUser = true, sUserApplicationDirectory = %s, xrefs: 00E13363, 00E133D0, 00E13440
%s\%s, xrefs: 00E13395
sDesktopDirectory = %s, xrefs: 00E138D4
bSystemUser = false, xrefs: 00E13946
from CSIDL_COMMON_DOCUMENTS, sUserApplicationDirectory = %s, xrefs: 00E13594
sCurrentFile = %s, xrefs: 00E1386B
SYSTEM, xrefs: 00E13304
sStartMenuDirectory = %s, xrefs: 00E13821
TurboMeeting, xrefs: 00E13384
sCurrentDirectory = %s, xrefs: 00E13846
\..\.., xrefs: 00E133CA
bSystemUser = false, sUserApplicationDirectory = %s, xrefs: 00E134C1

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Path$Name$FolderLong$CriticalSection_strstr$EnterFileLeaveModuleSpecialTempUser___report_securityfailure
String ID: %s\%s$MXmeeting$SYSTEM$TurboMeeting$Utility::GetUserDirectory()$WebMeeting$\$\..$\..\..$bSystemUser = false$bSystemUser = false, sUserApplicationDirectory = %s$bSystemUser = true$bSystemUser = true, sUserApplicationDirectory = %s$bUserAppDirAccessable = false$bUserAppDirAccessable = true$c:\rhub2\code\utility\utility.cpp$from CSIDL_COMMON_DOCUMENTS, sUserApplicationDirectory = %s$sCurrentDirectory = %s$sCurrentFile = %s$sCurrentFilePath = %s$sDesktopDirectory = %s$sStartMenuDirectory = %s$sTempDirectory = %s$sUserApplicationDirectory = %s$user application directory does not exist
API String ID: 1580760233-3861434914
Opcode ID: fd7fc5da78346891ebe41445fa937cbb0f3b55d86e1c6788a098886e429f68e7
Instruction ID: e1f14c4adca764fd5cfddfa8d737332d33d1d2a91808c850d19d36953c83e07c
Opcode Fuzzy Hash: fd7fc5da78346891ebe41445fa937cbb0f3b55d86e1c6788a098886e429f68e7
Instruction Fuzzy Hash: 7F220A70248381BED721DF20CC46FE77BD9AB45708F046869F588BB2D2D7B2A649C751

Uniqueness

Uniqueness Score: -1.00%

Function 00E14F80 Relevance: 58.0, APIs: 24, Strings: 9, Instructions: 288
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E15040
GetLastError.KERNEL32 ref: 00E15052
Process32FirstW.KERNEL32(00000000,?), ref: 00E15080
CloseHandle.KERNEL32(00000000), ref: 00E1508A
GetLastError.KERNEL32 ref: 00E15090
GetCurrentThread.KERNEL32 ref: 00E150F2
OpenThreadToken.ADVAPI32(00000000), ref: 00E150F9
GetLastError.KERNEL32 ref: 00E1510D
ImpersonateSelf.KERNELBASE(00000002), ref: 00E15118
GetLastError.KERNEL32 ref: 00E15122
GetCurrentThread.KERNEL32 ref: 00E15145
OpenThreadToken.ADVAPI32(00000000), ref: 00E1514C
GetLastError.KERNEL32 ref: 00E15156
LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00E151BE
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 00E15209
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00E1523A
OpenProcess.KERNEL32(00000411,00000000,?), ref: 00E15252
_strstr.LIBCMT ref: 00E152F2
TerminateProcess.KERNEL32(00000000,00000000), ref: 00E15301
CloseHandle.KERNEL32(00000000), ref: 00E15308
GetLastError.KERNEL32 ref: 00E15321

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Process32NextW.KERNEL32(?,0000022C), ref: 00E15331
CloseHandle.KERNEL32(?), ref: 00E15365

Strings

c:\rhub2\code\utility\utility.cpp, xrefs: 00E15009, 00E150AA, 00E15184, 00E1534A
ImpersonateSelf(SecurityImpersonation) failed: %d, %s, xrefs: 00E1512E
OpenThreadToken() failed: %d, %s, xrefs: 00E15162, 00E1517A
sProcessName = %s, xrefs: 00E14FFF
Utility::TerminateProcessByName, xrefs: 00E15018, 00E150B1, 00E1518B, 00E15351
!Process32First(): %d, %s, xrefs: 00E150A0
CRITICAL ISSUE: there is a dead loop. One TurboMeeting.exe cannot be removed!, xrefs: 00E15340
SeDebugPrivilege, xrefs: 00E151B0
hProcessSnap == INVALID_HANDLE_VALUE: %d, %s, xrefs: 00E15062

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$OpenThread$CloseHandleProcessToken$CriticalCurrentProcess32Section$AdjustCreateEnterFirstImpersonateLeaveLookupNextPrivilegePrivilegesSelfSnapshotTerminateToolhelp32Value_strstr
String ID: !Process32First(): %d, %s$CRITICAL ISSUE: there is a dead loop. One TurboMeeting.exe cannot be removed!$ImpersonateSelf(SecurityImpersonation) failed: %d, %s$OpenThreadToken() failed: %d, %s$SeDebugPrivilege$Utility::TerminateProcessByName$c:\rhub2\code\utility\utility.cpp$hProcessSnap == INVALID_HANDLE_VALUE: %d, %s$sProcessName = %s
API String ID: 1534570458-1312956877
Opcode ID: 887c0a39d461297065d5d1f5ce928a5474f2c969012116430619d884ddf95497
Instruction ID: 804a951d019e81e83f978afc0d7323753edc168aca9299617483e6fcb71f9353
Opcode Fuzzy Hash: 887c0a39d461297065d5d1f5ce928a5474f2c969012116430619d884ddf95497
Instruction Fuzzy Hash: AAA19F72A41628EEDB219B21DC05FEE7BB8AF45704F0451D5F809B72D2DBB19AC4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E14130 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 209fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E16680: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,00E016A1,TMSetupWindow,?,00000200,?,?,?,?,00E75578,000000FF), ref: 00E1669A

FindFirstFileW.KERNEL32(?,?), ref: 00E141A7
RemoveDirectoryW.KERNEL32(?), ref: 00E141D2
SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E142D2
_strstr.LIBCMT ref: 00E142F7
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E14310
FindNextFileW.KERNEL32(00000000,?,00000000), ref: 00E1431C
FindClose.KERNEL32(00000000), ref: 00E1432B

Strings

Utility::RemoveAllFile, xrefs: 00E143C1
c:\rhub2\code\utility\utility.cpp, xrefs: 00E143BA
%s\%s, xrefs: 00E1429A
%s\*, xrefs: 00E14172
End of RemoveAllFile: path = %s, %s, error code: %d, error: %s, xrefs: 00E143B0

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: File$Find$AttributesByteCharCloseDeleteDirectoryFirstMultiNextRemoveWide_strstr
String ID: %s\%s$%s\*$End of RemoveAllFile: path = %s, %s, error code: %d, error: %s$Utility::RemoveAllFile$c:\rhub2\code\utility\utility.cpp
API String ID: 2053179335-2006491347
Opcode ID: 90527ea70b5ab93ee0623372481797a41b32c52232ae164e7bf34dbc3842c29c
Instruction ID: c11e2b8aa94f926f7bca31dcffbd0d299f4d51ee77eb36a74c440dacac364b79
Opcode Fuzzy Hash: 90527ea70b5ab93ee0623372481797a41b32c52232ae164e7bf34dbc3842c29c
Instruction Fuzzy Hash: D46193B2504344AAE720EB60EC46FEB73EDBF99704F445829F649E21D2EB3195C4C762

Uniqueness

Uniqueness Score: -1.00%

Function 00E2B751 Relevance: 16.6, APIs: 11, Instructions: 140COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00E2B758
FindResourceW.KERNEL32(?,00000000,00000005), ref: 00E2B79C
LoadResource.KERNEL32(?,00000000), ref: 00E2B7A4

Part of subcall function 00E1F386: UnhookWindowsHookEx.USER32(?), ref: 00E1F3B0

LockResource.KERNEL32(?), ref: 00E2B7B4
GetDesktopWindow.USER32 ref: 00E2B7EB
IsWindowEnabled.USER32(00000000), ref: 00E2B7F6
EnableWindow.USER32(00000000,00000000), ref: 00E2B802

Part of subcall function 00E2ACCC: IsWindowEnabled.USER32(?), ref: 00E2ACD7

Part of subcall function 00E2A5EA: EnableWindow.USER32(?,00000000), ref: 00E2A5FB

EnableWindow.USER32(00000000,00000001), ref: 00E2B8E6
GetActiveWindow.USER32 ref: 00E2B8F0
SetActiveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00E2B8FC
FreeResource.KERNEL32(?,?,?,?,?,00000000), ref: 00E2B926

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 964565984-0
Opcode ID: 59c8e98d679f1d0f25b7c311e8e7bc9c2730e878e00819a21c32122ecef00ca7
Instruction ID: 1af4de40228d78c9845d221a1e37354fb037395a17d7780f3fbd49689f5c9c78
Opcode Fuzzy Hash: 59c8e98d679f1d0f25b7c311e8e7bc9c2730e878e00819a21c32122ecef00ca7
Instruction Fuzzy Hash: A4517030E006259FCF15EF71E845BAEBBB9BF48715F046119E909B3292DB345C81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E62425 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 369timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E624A7
_free.LIBCMT ref: 00E624CB
_free.LIBCMT ref: 00E62650
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00E8A000), ref: 00E62662
WideCharToMultiByte.KERNEL32(00000000,00000000,W. Europe Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00E626DA
WideCharToMultiByte.KERNEL32(00000000,00000000,W. Europe Summer Time,000000FF,?,0000003F,00000000,?), ref: 00E62707
_free.LIBCMT ref: 00E6281C

Strings

W. Europe Summer Time, xrefs: 00E62700
W. Europe Standard Time, xrefs: 00E626D3

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID: W. Europe Standard Time$W. Europe Summer Time
API String ID: 314583886-690618308
Opcode ID: 5d046ebfa06197e5c9cdd044dedd24e5f29023aa71c62e766a74d42d9560fd2d
Instruction ID: 420274a9e023fdacfc592c08f39db24154c0922074914bdd6133062e6d8a0d34
Opcode Fuzzy Hash: 5d046ebfa06197e5c9cdd044dedd24e5f29023aa71c62e766a74d42d9560fd2d
Instruction Fuzzy Hash: 7DC15871980605AFDB349F38EC55AAB7BE8EF85394F14216EE691B7282DB309E01C750

Uniqueness

Uniqueness Score: -1.00%

Function 00E2F81B Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00E26C60,00E25FB2,00000003,?,00000004,00000000,00E25FB2), ref: 00E2F82D
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00E2F83D
EncodePointer.KERNEL32(00000000,?,00E26C60,00E25FB2,00000003,?,00000004,00000000,00E25FB2), ref: 00E2F846
DecodePointer.KERNEL32(150661E0,?,?,00E26C60,00E25FB2,00000003,?,00000004,00000000,00E25FB2), ref: 00E2F854
GetLocaleInfoEx.KERNEL32(?,00E26C60,00E25FB2,00000003,?,00000004,00000000,00E25FB2), ref: 00E2F874
GetLocaleInfoW.KERNEL32(00000000,00000004,?,00000003,?,00E26C60,00E25FB2,00000003,?,00000004,00000000,00E25FB2), ref: 00E2F88B

Strings

GetLocaleInfoEx, xrefs: 00E2F837
kernel32.dll, xrefs: 00E2F828

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocalePointer$AddressDecodeEncodeHandleModuleProc
String ID: GetLocaleInfoEx$kernel32.dll
API String ID: 3226634038-1547310189
Opcode ID: d699d82227e50307e81b73a727c272e12e69cd663a9e5b72f95234c61a99e813
Instruction ID: e603591127444fdf1009359033f0560c5eabceeb89a33dbcbba4561507c93d1d
Opcode Fuzzy Hash: d699d82227e50307e81b73a727c272e12e69cd663a9e5b72f95234c61a99e813
Instruction Fuzzy Hash: 03014B35500229BF8F0AAFB2FC088AA7B79FF087467005035FE09B6131CB31C8609B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E0E5A0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 38threadnetworkCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000E560), ref: 00E0E5A7
SetThreadPriority.KERNEL32(?,0000000F), ref: 00E0E5BC
WSAGetLastError.WS2_32 ref: 00E0E5C6

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

SetEvent.KERNEL32(?), ref: 00E0E603
SetEvent.KERNEL32(?), ref: 00E0E60F

Strings

c:\rhub2\code\utility\mythread.cpp, xrefs: 00E0E5E0
SetThreadPriority() failed, error code: %d, error: %s, xrefs: 00E0E5D6
MyThread::ThreadFunc(), xrefs: 00E0E5E7

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalEventSection$EnterErrorExceptionFilterLastLeavePriorityThreadUnhandled
String ID: MyThread::ThreadFunc()$SetThreadPriority() failed, error code: %d, error: %s$c:\rhub2\code\utility\mythread.cpp
API String ID: 1290180407-840189773
Opcode ID: 7eea6d014f57eb20ed574d8b6dafcf0fc819f3851cc3f20380543aa64f493b2e
Instruction ID: b26cf41731fce04a986d7b4bf39ba78a38723c15fcb00f386e5b9d9d395dc55b
Opcode Fuzzy Hash: 7eea6d014f57eb20ed574d8b6dafcf0fc819f3851cc3f20380543aa64f493b2e
Instruction Fuzzy Hash: 4FF04F717402117FE7259B22EC0DF1A7FA5FF48754F049860F51DB22E2E760A895CA92

Uniqueness

Uniqueness Score: -1.00%

Function 00E12320 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 449timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,904898A6,?), ref: 00E1239F

Part of subcall function 00E01D16: _Deallocate.LIBCONCRT ref: 00E01D25

Strings

Utility::GetIPAddressByName, xrefs: 00E12BC0
getaddrinfo(%s) failed: Error Code = %d, Error = %s, xrefs: 00E12BAF
c:\rhub2\code\utility\utility.cpp, xrefs: 00E12BB9
%s%d, xrefs: 00E12416
%d-%d-%d-%d, xrefs: 00E123CA

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: DeallocateSystemTime
String ID: %d-%d-%d-%d$%s%d$Utility::GetIPAddressByName$c:\rhub2\code\utility\utility.cpp$getaddrinfo(%s) failed: Error Code = %d, Error = %s
API String ID: 2177079487-2401621314
Opcode ID: 93fe65e6c4b544f55116a80d24f45123872f65088f0cce9c41d5cbc1ea1dc2d6
Instruction ID: 900ed846eda5f2655b38a32713107ac1d4810a7473f3e2f69f6934c1e43f6f2e
Opcode Fuzzy Hash: 93fe65e6c4b544f55116a80d24f45123872f65088f0cce9c41d5cbc1ea1dc2d6
Instruction Fuzzy Hash: F4F1F671A003189BDB24DF34CC85BDDB7B5EF85304F109A9CE549B7682EB74AAC88B51

Uniqueness

Uniqueness Score: -1.00%

Function 00E1D692 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,?,?,00E24F6F,?,00E9AA90,00000010,00E1F325,?), ref: 00E1D6A6
GetLastError.KERNEL32(00E1F325,?,?,00E24F6F,?,00E9AA90,00000010,00E1F325,?), ref: 00E1D6DD

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 00E1D6A1

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: DebugErrorLastOutputString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 4132100945-2690750368
Opcode ID: 49f0f8184600fc846f68e959667c8e76c73a301bbef2d52cd94716c1884cb516
Instruction ID: 5d22154e27084a7ba71417019f35baea71873d6551945a9dec8fe4e24905d276
Opcode Fuzzy Hash: 49f0f8184600fc846f68e959667c8e76c73a301bbef2d52cd94716c1884cb516
Instruction Fuzzy Hash: 0EF0F63520D3148B4B3867AABC549EE3794AB0AB593242026F90EF19B1DA60DCD4CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 00E4FDB8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00E4FDB7,?,?,?,?), ref: 00E4FDDA
TerminateProcess.KERNEL32(00000000,?,00E4FDB7,?,?,?,?), ref: 00E4FDE1
ExitProcess.KERNEL32 ref: 00E4FDF3

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 99281347af97009f4fdca36f90c2e92843fe67cdc7c889d2a85cdf4f4758e286
Instruction ID: ce0f5e7fab33ddb62799b16498c3564f91b283160449aaab6cf386916ec7e813
Opcode Fuzzy Hash: 99281347af97009f4fdca36f90c2e92843fe67cdc7c889d2a85cdf4f4758e286
Instruction Fuzzy Hash: 0FE04631400548AFCF11AB65EC0CA293B79FF00742B050424F809AA132CB35DC86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E4CDF6 Relevance: 1.5, Strings: 1, Instructions: 215COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00E4CF66

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 14413e32b7d14194a941a5679042a3159b7c8edaaac67d7a848c1c4957b2fb9f
Instruction ID: 943b3ec3cc0b7aaf2b9e51938ad86207eabae83d1e38bfb73ead67a62358bf58
Opcode Fuzzy Hash: 14413e32b7d14194a941a5679042a3159b7c8edaaac67d7a848c1c4957b2fb9f
Instruction Fuzzy Hash: 4451BD7130760057DBB88A6CB8557FF63CA9B16308F38390AE543F7682C719EE4A8365

Uniqueness

Uniqueness Score: -1.00%

Function 00E5FD22 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3890fd4f3637570803c2259bfffde9a55cd4efccbe05144b8a6f7e449aeb741b
Instruction ID: 9a49365da57d6e7a53cd4bc5cdaee895346ef630874799257b40b97018106f02
Opcode Fuzzy Hash: 3890fd4f3637570803c2259bfffde9a55cd4efccbe05144b8a6f7e449aeb741b
Instruction Fuzzy Hash: ACF03031A553289BCB26CA4CD945B9A73FCEB44B62F1159A6F944E7250C670AE04C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 00E0C770 Relevance: 85.1, APIs: 13, Strings: 35, Instructions: 1073
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Part of subcall function 00E0DD70: FindWindowW.USER32(TurboMeetingMainWindowClass,00000000), ref: 00E0DDB7
Part of subcall function 00E0DD70: PostMessageW.USER32(00000000,000013A0,00000000,00000000), ref: 00E0DDC7
Part of subcall function 00E0DD70: FindWindowW.USER32(TurboMeetingMainWindowClass,00000000), ref: 00E0DDDB
Part of subcall function 00E0DD70: WSAGetLastError.WS2_32(?,?,?,?,?,00000000), ref: 00E0DDDF
Part of subcall function 00E0DD70: Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E0DE2A
Part of subcall function 00E0DD70: FindWindowW.USER32(TurboMeetingMainWindowClass,00000000), ref: 00E0DE37
Part of subcall function 00E0DD70: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E0DE49
Part of subcall function 00E0DD70: PostMessageW.USER32(00000000,000013A0,00000000,00000000), ref: 00E0DE83
Part of subcall function 00E0DD70: WSAGetLastError.WS2_32 ref: 00E0DE89
Part of subcall function 00E0DD70: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E0DEB9

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00E762F5,000000FF,?,00E098B2), ref: 00E0C81F
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00E762F5,000000FF), ref: 00E0C833
GetActiveWindow.USER32 ref: 00E0C871
MessageBoxW.USER32(00000000), ref: 00E0C878
GetFileAttributesW.KERNEL32(?), ref: 00E0C8CA
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E0C8DE
GetFileAttributesW.KERNEL32(?), ref: 00E0CA77
MessageBoxW.USER32(00000000), ref: 00E0D359
GetFileAttributesW.KERNEL32(?), ref: 00E0CAD3

Part of subcall function 00E01D16: _Deallocate.LIBCONCRT ref: 00E01D25

GetActiveWindow.USER32 ref: 00E0D352

Part of subcall function 00E16680: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,00E016A1,TMSetupWindow,?,00000200,?,?,?,?,00E75578,000000FF), ref: 00E1669A

Part of subcall function 00E14130: FindFirstFileW.KERNEL32(?,?), ref: 00E141A7
Part of subcall function 00E14130: RemoveDirectoryW.KERNEL32(?), ref: 00E141D2

Strings

<__SetupFileName__>, xrefs: 00E0CE27, 00E0D769
.zip, xrefs: 00E0C921, 00E0C98E
%s\%s.exe, xrefs: 00E0D1C9, 00E0D28C, 00E0D44F
</__SetupDirectory__>, xrefs: 00E0CC0D, 00E0D54F
<__SetupConfigureFile__>, xrefs: 00E0CF06, 00E0D848
Uncompress %s into %s and %s, xrefs: 00E0C9FA
<__SetupDirectory__>, xrefs: 00E0CBDA, 00E0D51C
starter.cfg, xrefs: 00E0CF89, 00E0D8CB
</__SetupFileName__>, xrefs: 00E0CE56, 00E0D798
SetupHandler::ProcessDownloadedClient, xrefs: 00E0C7B4, 00E0C84F, 00E0CA0B, 00E0CA5D, 00E0CB42, 00E0CB6F, 00E0D264, 00E0D330, 00E0D42D, 00E0D4DC
Filed to create: %s, xrefs: 00E0C83E, 00E0C8EF, 00E0D3E0
<__WorkingDirectory__>%s\%s</__WorkingDirectory__>, xrefs: 00E0CB0C
PCClient.zip, xrefs: 00E0C93F, 00E0D1D0, 00E0D293
</__SetupConfigureFile__>, xrefs: 00E0CFDB, 00E0D91D
TMDownload, xrefs: 00E0D1C3, 00E0D286
<__NeedToRemoveSetup__>Y</__NeedToRemoveSetup__>, xrefs: 00E0D0A5
%s\%s, xrefs: 00E0C7ED, 00E0D1D6, 00E0D1FC, 00E0D299, 00E0D2C9, 00E0D466
</__SetupFile__>, xrefs: 00E0CD61, 00E0D6A7
sWorkingDirectoryFile: %s, xrefs: 00E0CA4C
Unable to save the download file, xrefs: 00E0D34D
Enter ..., xrefs: 00E0C7A3
c:\rhub2\code\setuphandler\setuphandler.cpp, xrefs: 00E0C7AD, 00E0C848, 00E0CA04, 00E0CA56, 00E0CB3B, 00E0CB68, 00E0D25E, 00E0D32A, 00E0D426, 00E0D4D5
%s\WorkingDirectory.txt, xrefs: 00E0CA22, 00E0CAA6
copy sSourceFile = %s, sTargetFile = %s, xrefs: 00E0D4CB
Uncompress %s into %s, xrefs: 00E0D41C
<__SetupFile__>, xrefs: 00E0CCBD, 00E0D5FF
sUserDefinedWorkingDirectory %s exists, xrefs: 00E0CB5E
TMInstaller, xrefs: 00E0D43D
tm_starter_dir, xrefs: 00E0C7DB, 00E0D1F6, 00E0D2B4
Failed to open file to write: %s, xrefs: 00E0CB31, 00E0D254, 00E0D320
%s\Accessory, xrefs: 00E0C88C
PCClientAccessory.zip, xrefs: 00E0C9A8
Unable to create a directory to install the downloaded software, xrefs: 00E0C86C
%s\..\%s, xrefs: 00E0D2C2
TMLauncher.exe, xrefs: 00E0D45A

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: FileWindow$AttributesErrorFindLastMessage$Directory$ActiveCreateCriticalPostSection$ByteCharDeallocateEnterFirstLeaveMultiRemoveSleepWide
String ID: %s\%s$%s\%s.exe$%s\..\%s$%s\Accessory$%s\WorkingDirectory.txt$.zip$</__SetupConfigureFile__>$</__SetupDirectory__>$</__SetupFileName__>$</__SetupFile__>$<__NeedToRemoveSetup__>Y</__NeedToRemoveSetup__>$<__SetupConfigureFile__>$<__SetupDirectory__>$<__SetupFileName__>$<__SetupFile__>$<__WorkingDirectory__>%s\%s</__WorkingDirectory__>$Enter ...$Failed to open file to write: %s$Filed to create: %s$PCClient.zip$PCClientAccessory.zip$SetupHandler::ProcessDownloadedClient$TMDownload$TMInstaller$TMLauncher.exe$Unable to create a directory to install the downloaded software$Unable to save the download file$Uncompress %s into %s$Uncompress %s into %s and %s$c:\rhub2\code\setuphandler\setuphandler.cpp$copy sSourceFile = %s, sTargetFile = %s$sUserDefinedWorkingDirectory %s exists$sWorkingDirectoryFile: %s$starter.cfg$tm_starter_dir
API String ID: 3132196403-3753240308
Opcode ID: b1996b365485fda5f273dd52c688d96664aed0591a7a44fc24f31e18296539da
Instruction ID: fa3ced68a0ac49a0a007d7289a9616c19ac34cd1120d25ef05afe0b6cf176af0
Opcode Fuzzy Hash: b1996b365485fda5f273dd52c688d96664aed0591a7a44fc24f31e18296539da
Instruction Fuzzy Hash: CEB2A571C04358BADB25EBA0CC49BDDB7B8AF15304F0056D9E509761D2EBB0ABC9CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E72E40 Relevance: 70.6, APIs: 23, Strings: 17, Instructions: 566
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Part of subcall function 00E73A90: EnterCriticalSection.KERNEL32(?,904898A6,?,00E7B918,?,?,?,00E7860A,000000FF,?,00E730DA,?,?), ref: 00E73B10

InternetCloseHandle.WININET(?), ref: 00E730EC
InternetCloseHandle.WININET(?), ref: 00E730FA
InternetCloseHandle.WININET(?), ref: 00E73108
InternetOpenA.WININET(Internet Explorer,00000003,00000000,00000000,00000000), ref: 00E73167
InternetOpenA.WININET(Internet Explorer,00000000,00000000,00000000,00000000), ref: 00E73180
InternetConnectA.WININET(00000000,00000001,00E7B918,00000000,00000000,00000003,00000000,00000001), ref: 00E7319E
HttpOpenRequestA.WININET(00000000,GET,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00E731C0
HttpSendRequestA.WININET(00000000,?,?,00000000,00000000), ref: 00E731FA
InternetReadFile.WININET(?,?,00003800,00000000), ref: 00E73299
WSAGetLastError.WS2_32 ref: 00E732BB
InternetReadFileExA.WININET(?,00000028,00000004,00000000), ref: 00E732F7
WSAGetLastError.WS2_32 ref: 00E73301
_strstr.LIBCMT ref: 00E73356
WSAGetLastError.WS2_32(?,?,00000000,GET,00E7B918), ref: 00E73362
InternetCloseHandle.WININET(?), ref: 00E733B0
InternetCloseHandle.WININET(?), ref: 00E733BC
InternetCloseHandle.WININET(?), ref: 00E733C8
WSAGetLastError.WS2_32(00000000), ref: 00E73451

Strings

sIP = %s, iPort = %d, URL = %s, m_iExpectedReceiveSize = %d, xrefs: 00E72F9F
(, xrefs: 00E73229
http://%s%s, xrefs: 00E7343E
HSR() failed, error code: %d, error: %s, xrefs: 00E7346D
HLib::GetPage, xrefs: 00E72F7C, 00E72FB0, 00E7308B, 00E73325, 00E73386, 00E733FA, 00E7347E, 00E735B9, 00E73629
HR::GetPage, xrefs: 00E732DF
sIP = %s, iPort = %d, sURL = %s, iMaxLength = %d, sKeyInReturn = %s, m_iExpectedReceiveSize = %d, xrefs: 00E72F6B
GET, xrefs: 00E730AB, 00E731BA
IRE() failed, error code: %d, error: %s, xrefs: 00E73314
http://%s:%d%s, xrefs: 00E734F3
Empty IP, iPort = %d, URL = %s, m_iExpectedReceiveSize = %d, xrefs: 00E73618
bIsSystemUser = %s, g_oMyConfigure is NULL = %s, bHTTPFailed = %s, xrefs: 00E7307A
c:\rhub2\code\hlib\hlib.cpp, xrefs: 00E72F75, 00E72FA9, 00E73084, 00E732D8, 00E7331E, 00E7337F, 00E733F3, 00E73477, 00E735B2, 00E73622
Internet Explorer, xrefs: 00E7314D, 00E7317B
IRE() error code: %d, error: %s, xrefs: 00E732CE
HTTP fialed. Now try TCP for URL = %s, xrefs: 00E733E9
No keyword, error code: %d, error: %s, xrefs: 00E73375, 00E735A8

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Internet$CloseHandle$ErrorLast$CriticalOpenSection$EnterFileHttpReadRequest$ConnectLeaveSend_strstr
String ID: ($Empty IP, iPort = %d, URL = %s, m_iExpectedReceiveSize = %d$GET$HLib::GetPage$HR::GetPage$HSR() failed, error code: %d, error: %s$HTTP fialed. Now try TCP for URL = %s$IRE() error code: %d, error: %s$IRE() failed, error code: %d, error: %s$Internet Explorer$No keyword, error code: %d, error: %s$bIsSystemUser = %s, g_oMyConfigure is NULL = %s, bHTTPFailed = %s$c:\rhub2\code\hlib\hlib.cpp$http://%s%s$http://%s:%d%s$sIP = %s, iPort = %d, URL = %s, m_iExpectedReceiveSize = %d$sIP = %s, iPort = %d, sURL = %s, iMaxLength = %d, sKeyInReturn = %s, m_iExpectedReceiveSize = %d
API String ID: 1181822904-774248845
Opcode ID: dee27f61bccd32c452c214762312b3362a5b0d34a9e4452f227d1c892810aaa9
Instruction ID: 442d68be4b590ed89b46f8fe8c886af89238b28daeabe93bd6df1c5a0cec1866
Opcode Fuzzy Hash: dee27f61bccd32c452c214762312b3362a5b0d34a9e4452f227d1c892810aaa9
Instruction Fuzzy Hash: A822C071A00719AFEF219B24DC85FDABBB9EB05704F005194F80CB6292D7B1AEA4DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00E1B200 Relevance: 67.3, APIs: 20, Strings: 18, Instructions: 779
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

GetTempPathW.KERNEL32(00000104,?,?,?,00E76BE6,000000FF,?,00E0D414,?,?), ref: 00E1B29E
__swprintf.LEGACY_STDIO_DEFINITIONS ref: 00E1B2C0
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,00E76BE6,000000FF), ref: 00E1B2F2
__fread_nolock.LIBCMT ref: 00E1B36A
__fread_nolock.LIBCMT ref: 00E1B392
SHCreateDirectoryExW.SHELL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00E1B58C
__fread_nolock.LIBCMT ref: 00E1B5C4
__fread_nolock.LIBCMT ref: 00E1B5EC
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00000001), ref: 00E1B640
__fread_nolock.LIBCMT ref: 00E1B7AF
__fread_nolock.LIBCMT ref: 00E1B9EF
DeleteFileW.KERNEL32(?,?,?,?,00000001,00000000), ref: 00E1BA18
ShellExecuteW.SHELL32(00000000,Open,?,00000000,00000000,00000001), ref: 00E1BA49
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00E1BA6E
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000038), ref: 00E1BAF2
WSAGetLastError.WS2_32(?,?,?,?,?,?,00000001,00000000), ref: 00E1BD60

Part of subcall function 00E16680: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,00E016A1,TMSetupWindow,?,00000200,?,?,?,?,00E75578,000000FF), ref: 00E1669A

WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000038), ref: 00E1BB6E
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,00000038), ref: 00E1BBAB
WSAGetLastError.WS2_32(?,?,?,00000001,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00E1BC14
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00E1BC51

Strings

fread iFileMask error, xrefs: 00E1BC45
CZLib::UnZip, xrefs: 00E1B252, 00E1B33A, 00E1B697, 00E1BACB, 00E1BB34, 00E1BBED, 00E1BC93, 00E1BDA2
The following files failed to copy to the destination:, xrefs: 00E1B6CC
SHCreateDirectoryEx error: %s, error code = %d, xrefs: 00E1BABA
c:\rhub2\code\utility\zlibpp.cpp, xrefs: 00E1B24B, 00E1B30C, 00E1B333, 00E1B65A, 00E1B690, 00E1BA88, 00E1BAC4, 00E1BB0C, 00E1BB2D, 00E1BB88, 00E1BBC5, 00E1BBE6, 00E1BC2E, 00E1BC6B, 00E1BC8C, 00E1BD7A, 00E1BD9B
fwrite error, xrefs: 00E1BB23, 00E1BB9F
iErr != Z_OK && iErr != Z_STREAM_END, xrefs: 00E1BBDC
can't create file %s, skip to the next one., xrefs: 00E1B686
fread lFileLength error, xrefs: 00E1BC82
fread error, xrefs: 00E1BD91
Open, xrefs: 00E1BA42
1.2.1, xrefs: 00E1B720
CCZLib::UnZip, xrefs: 00E1B313, 00E1B661, 00E1BA8F, 00E1BB13, 00E1BB8F, 00E1BBCC, 00E1BC35, 00E1BC72, 00E1BD81
Error code: %d, error: %s, xrefs: 00E1B302, 00E1B650, 00E1BA7E, 00E1BB02, 00E1BB7E, 00E1BBBB, 00E1BC24, 00E1BC61, 00E1BD70
%sTM%d.txt, xrefs: 00E1B2BA
%s, xrefs: 00E1B6E8
enter %s to %s, xrefs: 00E1B241
can't open %s, xrefs: 00E1B329

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$__fread_nolock$CriticalSection$ByteCharCreateDeleteDirectoryEnterExecuteFileLeaveMultiPathShellTempWide__swprintf
String ID: %s$%sTM%d.txt$1.2.1$CCZLib::UnZip$CZLib::UnZip$Error code: %d, error: %s$Open$SHCreateDirectoryEx error: %s, error code = %d$The following files failed to copy to the destination:$c:\rhub2\code\utility\zlibpp.cpp$can't create file %s, skip to the next one.$can't open %s$enter %s to %s$fread error$fread iFileMask error$fread lFileLength error$fwrite error$iErr != Z_OK && iErr != Z_STREAM_END
API String ID: 2892380473-3998357332
Opcode ID: a464299973019e150ff2bfd50b0d37012f717da90b3f1d2e65443a70d5fd6ad4
Instruction ID: 024ded744e4e81c3ab8218102a98d0cb316c5fc7c579bc217facc28d4d221c0d
Opcode Fuzzy Hash: a464299973019e150ff2bfd50b0d37012f717da90b3f1d2e65443a70d5fd6ad4
Instruction Fuzzy Hash: B652A271A40319AFDB24AF64CC4ABDABBB9AF04704F005595F90CB62D1E7B19AC9CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E73A90 Relevance: 60.5, APIs: 8, Strings: 26, Instructions: 969networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,904898A6,?,00E7B918,?,?,?,00E7860A,000000FF,?,00E730DA,?,?), ref: 00E73B10

Part of subcall function 00E154F0: _strstr.LIBCMT ref: 00E154FC
Part of subcall function 00E154F0: _strstr.LIBCMT ref: 00E15510

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Part of subcall function 00E16C30: EnterCriticalSection.KERNEL32(00EA97FC,00000000,00E7B918,?,00000000), ref: 00E16C83
Part of subcall function 00E16C30: CreateMutexW.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 00E16CA9
Part of subcall function 00E16C30: WaitForSingleObject.KERNEL32(00000000,00001388,?,?,00000000), ref: 00E16CB7
Part of subcall function 00E16C30: WSAGetLastError.WS2_32(?,?,00000000), ref: 00E16CC1
Part of subcall function 00E16C30: ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000), ref: 00E16D0D
Part of subcall function 00E16C30: LeaveCriticalSection.KERNEL32(00EA97FC,?,?,?,?,00000000), ref: 00E16D18

InternetQueryOptionA.WININET ref: 00E7434D
GetLastError.KERNEL32 ref: 00E7435B

Part of subcall function 00E749B0: _strstr.LIBCMT ref: 00E74A36
Part of subcall function 00E749B0: _strncpy.LIBCMT ref: 00E74A57

GlobalFree.KERNEL32(?), ref: 00E74876
GlobalFree.KERNEL32(?), ref: 00E74883
GlobalFree.KERNEL32(?), ref: 00E74890
LeaveCriticalSection.KERNEL32(?), ref: 00E748DF
LeaveCriticalSection.KERNEL32(?), ref: 00E74937

Strings

Option[2], PROXY_TYPE_AUTO_PROXY_URL, xrefs: 00E7450B
</__SERVER_ACCESS_SETTING1__>, xrefs: 00E73BA8
Using aServerAccessSetting[%d] = %s, xrefs: 00E74165
%s after auto URL, xrefs: 00E74687
%s after auto detect, xrefs: 00E747AA
empty after auto URL, xrefs: 00E746E4
Failed to InternetQueryOption %d, xrefs: 00E74364
Option[4], xrefs: 00E74594
Option[2].Value.dwValue = %d, bConnectionSucceeded = %s, xrefs: 00E74832
Option[3], xrefs: 00E74566
Option[0], xrefs: 00E744DD
HR::DP, xrefs: 00E74375, 00E744EE, 00E7451C, 00E7454A, 00E74577, 00E745A5
WPADLocation = %s, bConnectionSucceeded = %s, xrefs: 00E74726
empty after auto detect, xrefs: 00E747F9
No valid/matched aServerAccessSetting, xrefs: 00E742B1
After SetOptionR() bConnectionSucceeded = %s, xrefs: 00E7460E
NULL, xrefs: 00E740D8, 00E74113
<__SERVER_ACCESS_SETTING1__>, xrefs: 00E73BAD
HR::SendRequest, xrefs: 00E73B40, 00E74176, 00E74241, 00E742C2, 00E7461F, 00E74698, 00E746F5, 00E74737, 00E747BB, 00E7480A, 00E74843, 00E748BB, 00E7491A
Failed with aServerAccessSetting[i] = %s, URL = %s, xrefs: 00E74230
Option[2], PROXY_TYPE_AUTO_DETECT, xrefs: 00E74539
HR::SendRequest failed! %s, %s, %d, xrefs: 00E74909
OK with aServerAccessSetting[i] = %s, URL = %s, xrefs: 00E741E9
HR::SendRequest succeeded! m_sServerAccessSetting = %s, xrefs: 00E748AA
c:\rhub2\code\hlib\hlib.cpp, xrefs: 00E73B3A, 00E7416F, 00E7423A, 00E742BB, 00E7436E, 00E744E7, 00E74515, 00E74543, 00E74570, 00E7459E, 00E74618, 00E74691, 00E746EE, 00E74730, 00E747B4, 00E74803, 00E7483C, 00E748B4, 00E74913
HR::SendRequest NEW session for sIP = %s on iPort = %d, xrefs: 00E73B33

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Leave$EnterFreeGlobal_strstr$ErrorLastMutex$CreateInternetObjectOptionQueryReleaseSingleWait_strncpy
String ID: %s after auto URL$%s after auto detect$</__SERVER_ACCESS_SETTING1__>$<__SERVER_ACCESS_SETTING1__>$After SetOptionR() bConnectionSucceeded = %s$Failed to InternetQueryOption %d$Failed with aServerAccessSetting[i] = %s, URL = %s$HR::DP$HR::SendRequest$HR::SendRequest NEW session for sIP = %s on iPort = %d$HR::SendRequest failed! %s, %s, %d$HR::SendRequest succeeded! m_sServerAccessSetting = %s$NULL$No valid/matched aServerAccessSetting$OK with aServerAccessSetting[i] = %s, URL = %s$Option[0]$Option[2], PROXY_TYPE_AUTO_DETECT$Option[2], PROXY_TYPE_AUTO_PROXY_URL$Option[2].Value.dwValue = %d, bConnectionSucceeded = %s$Option[3]$Option[4]$Using aServerAccessSetting[%d] = %s$WPADLocation = %s, bConnectionSucceeded = %s$c:\rhub2\code\hlib\hlib.cpp$empty after auto URL$empty after auto detect
API String ID: 3734629825-2834147483
Opcode ID: 1fedd52476e8e767139d47ebb0d7ae23e2373239ea0e0736f208c1da0dc96d2c
Instruction ID: 645ae903de2b2f417ff343e11e937008bd4efdaf2ac4a6155ff515ef2cc11595
Opcode Fuzzy Hash: 1fedd52476e8e767139d47ebb0d7ae23e2373239ea0e0736f208c1da0dc96d2c
Instruction Fuzzy Hash: 0B82EFB1A00259AFDF25DB24CC89B9ABBB5AB01304F04A0D8E54D7B2D2C7715EC9CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00E0DD70 Relevance: 59.7, APIs: 14, Strings: 20, Instructions: 220
networkwindowsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

FindWindowW.USER32(TurboMeetingMainWindowClass,00000000), ref: 00E0DDB7
PostMessageW.USER32(00000000,000013A0,00000000,00000000), ref: 00E0DDC7

Part of subcall function 00E14F80: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E15040
Part of subcall function 00E14F80: GetLastError.KERNEL32 ref: 00E15052

FindWindowW.USER32(TurboMeetingMainWindowClass,00000000), ref: 00E0DDDB
WSAGetLastError.WS2_32(?,?,?,?,?,00000000), ref: 00E0DDDF
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E0DE2A
FindWindowW.USER32(TurboMeetingMainWindowClass,00000000), ref: 00E0DE37
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E0DE49
PostMessageW.USER32(00000000,000013A0,00000000,00000000), ref: 00E0DE83
WSAGetLastError.WS2_32 ref: 00E0DE89
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E0DEB9
WSAGetLastError.WS2_32(?,?,?,?,?,00000000), ref: 00E0DF03
WSAGetLastError.WS2_32 ref: 00E0DF55

Part of subcall function 00E14F80: Process32FirstW.KERNEL32(00000000,?), ref: 00E15080
Part of subcall function 00E14F80: CloseHandle.KERNEL32(00000000), ref: 00E1508A
Part of subcall function 00E14F80: GetLastError.KERNEL32 ref: 00E15090
Part of subcall function 00E14F80: GetCurrentThread.KERNEL32 ref: 00E150F2
Part of subcall function 00E14F80: OpenThreadToken.ADVAPI32(00000000), ref: 00E150F9
Part of subcall function 00E14F80: GetLastError.KERNEL32 ref: 00E1510D
Part of subcall function 00E14F80: ImpersonateSelf.KERNELBASE(00000002), ref: 00E15118
Part of subcall function 00E14F80: GetLastError.KERNEL32 ref: 00E15122
Part of subcall function 00E14F80: LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00E151BE
Part of subcall function 00E14F80: AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 00E15209
Part of subcall function 00E14F80: OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00E1523A
Part of subcall function 00E14F80: OpenProcess.KERNEL32(00000411,00000000,?), ref: 00E15252

WSAGetLastError.WS2_32 ref: 00E0DFA7

Part of subcall function 00E14F80: GetCurrentThread.KERNEL32 ref: 00E15145
Part of subcall function 00E14F80: OpenThreadToken.ADVAPI32(00000000), ref: 00E1514C
Part of subcall function 00E14F80: GetLastError.KERNEL32 ref: 00E15156
Part of subcall function 00E14F80: _strstr.LIBCMT ref: 00E152F2
Part of subcall function 00E14F80: TerminateProcess.KERNEL32(00000000,00000000), ref: 00E15301
Part of subcall function 00E14F80: CloseHandle.KERNEL32(00000000), ref: 00E15308
Part of subcall function 00E14F80: Process32NextW.KERNEL32(?,0000022C), ref: 00E15331
Part of subcall function 00E14F80: CloseHandle.KERNEL32(?), ref: 00E15365

WSAGetLastError.WS2_32 ref: 00E0DFF9

Part of subcall function 00E13A80: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E13AB9
Part of subcall function 00E13A80: Process32FirstW.KERNEL32(00000000,00000002), ref: 00E13AD3
Part of subcall function 00E13A80: Process32NextW.KERNEL32(00000000,?), ref: 00E13B07
Part of subcall function 00E13A80: CloseHandle.KERNEL32(00000000,00000002,00000000,?,00000000,75C95D50), ref: 00E13B15

Strings

"%s.ex", xrefs: 00E0DF8D
Has stopped %s.exe and %s.exe, error code: %d, error: %s, xrefs: 00E0E00F
Enter ..., xrefs: 00E0DD86
TurboMeetingMainWindowClass, xrefs: 00E0DDB2, 00E0DDD0, 00E0DE32
SetupHandler:StopProcess(), xrefs: 00E0DE12, 00E0DE66, 00E0DEA6, 00E0DED6, 00E0DF20, 00E0DF72, 00E0DFC4
2error code: %d, error: %s, xrefs: 00E0DF61
c:\rhub2\code\setuphandler\setuphandler.cpp, xrefs: 00E0DD90, 00E0DE0B, 00E0DE5F, 00E0DE9F, 00E0DECF, 00E0DF19, 00E0DF6B, 00E0DFBD, 00E0E019, 00E0E05A
TMService.exe, xrefs: 00E0E030
4Failed to close TurboMeetingMainWindowClass, error code: %d, error: %s, xrefs: 00E0DEC5
1error code: %d, error: %s, xrefs: 00E0DF0F
TMInstaller, xrefs: 00E0DFD4, 00E0E005
2Failed to close TurboMeetingMainWindowClass, error code: %d, error: %s, xrefs: 00E0DE55
bServiceModeRunning is true, xrefs: 00E0E044
"%s.exe", xrefs: 00E0DF3B, 00E0DFDF
bServiceModeRunning is false, xrefs: 00E0E050
3error code: %d, error: %s, xrefs: 00E0DFB3
TurboMeeting, xrefs: 00E0DF30, 00E0DF82, 00E0E00A
SetupHandler::StopProcess, xrefs: 00E0DD97, 00E0E020, 00E0E061
Failed to close TurboMeetingMainWindowClass, error code: %d, error: %s, xrefs: 00E0DE01
3Failed to close TurboMeetingMainWindowClass, error code: %d, error: %s, xrefs: 00E0DE95

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CloseHandleOpenProcess32Thread$FindProcessTokenWindow$CreateCriticalCurrentFirstMessageNextPostSectionSnapshotToolhelp32$AdjustEnterImpersonateLeaveLookupPrivilegePrivilegesSelfSleepTerminateValue_strstr
String ID: "%s.ex"$"%s.exe"$1error code: %d, error: %s$2Failed to close TurboMeetingMainWindowClass, error code: %d, error: %s$2error code: %d, error: %s$3Failed to close TurboMeetingMainWindowClass, error code: %d, error: %s$3error code: %d, error: %s$4Failed to close TurboMeetingMainWindowClass, error code: %d, error: %s$Enter ...$Failed to close TurboMeetingMainWindowClass, error code: %d, error: %s$Has stopped %s.exe and %s.exe, error code: %d, error: %s$SetupHandler::StopProcess$SetupHandler:StopProcess()$TMInstaller$TMService.exe$TurboMeeting$TurboMeetingMainWindowClass$bServiceModeRunning is false$bServiceModeRunning is true$c:\rhub2\code\setuphandler\setuphandler.cpp
API String ID: 1275666833-3803541513
Opcode ID: 32df0453fa3bdfb664982c1a08c7c67b45698a32d1ca7c08e43e6b768fc2d9ef
Instruction ID: 82f29e7ff9ed206c4975bf6b9b6336e1d4833665c5e17e6e0c7e38b5212fcaa4
Opcode Fuzzy Hash: 32df0453fa3bdfb664982c1a08c7c67b45698a32d1ca7c08e43e6b768fc2d9ef
Instruction Fuzzy Hash: 245176717C03147EE62077619C4BF6F259DDB1DB44F10A4A0FA0CBA2D3EAE06D858669

Uniqueness

Uniqueness Score: -1.00%

Function 00E09040 Relevance: 53.1, APIs: 7, Strings: 23, Instructions: 576
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

SetupHandler::Download, xrefs: 00E0908C, 00E090B9, 00E09198, 00E093D0, 00E09412, 00E0972B, 00E097B8, 00E09850, 00E098FA
%s?client_type=%d&xml_format=Y&client=%s, xrefs: 00E09176
Setup %s ...Summary - average speed: %d kbps, total time: %d seconds, xrefs: 00E0988A
In Download: m_sClientDirectory = %s, xrefs: 00E0907B
sTempURL = %s, xrefs: 00E09188
%s?client_type=%d&client=%s, xrefs: 00E094BF
Download is incomplete. Please try it again, xrefs: 00E097C8
Failed to download client from: %s:%d, iDownloadSize = %d, sDownloadSize = %s, xrefs: 00E093BF
Downloading %s ..., xrefs: 00E09435
c:\rhub2\code\setuphandler\setuphandler.cpp, xrefs: 00E09085, 00E090B2, 00E09192, 00E093C9, 00E0940B, 00E09724, 00E097B1, 00E09849, 00E098F3
/as/wapi/get_client, xrefs: 00E094B4
Download is completed: iExpectedDownloadSize = %d, actual received = %d, xrefs: 00E0983F
%d,%d,%d, xrefs: 00E09693
Download is not needed, xrefs: 00E090A8
/as/wapi/auto_download, xrefs: 00E09491
Download has exchaused manay failed tries: iNumberOfTry = %d. Now exits, xrefs: 00E098E9
Connecting ..., xrefs: 00E090E6
iDownloadSize = %d, xrefs: 00E09401
/as/wapi/get_client_size, xrefs: 00E0916B
</__ClientSize__>, xrefs: 00E091FC, 00E092C9, 00E09372
<__ClientSize__>, xrefs: 00E09207, 00E092D4, 00E0937D
Download experiences timeout, xrefs: 00E0971A
Filed to complete download: iExpectedDownloadSize = %d, actual received = %d, xrefs: 00E097A7

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$ActiveAttributesCreateDirectoryEnterFileLeaveMessageWindow
String ID: %d,%d,%d$%s?client_type=%d&client=%s$%s?client_type=%d&xml_format=Y&client=%s$/as/wapi/auto_download$/as/wapi/get_client$/as/wapi/get_client_size$</__ClientSize__>$<__ClientSize__>$Connecting ...$Download experiences timeout$Download has exchaused manay failed tries: iNumberOfTry = %d. Now exits$Download is completed: iExpectedDownloadSize = %d, actual received = %d$Download is incomplete. Please try it again$Download is not needed$Downloading %s ...$Failed to download client from: %s:%d, iDownloadSize = %d, sDownloadSize = %s$Filed to complete download: iExpectedDownloadSize = %d, actual received = %d$In Download: m_sClientDirectory = %s$Setup %s ...Summary - average speed: %d kbps, total time: %d seconds$SetupHandler::Download$c:\rhub2\code\setuphandler\setuphandler.cpp$iDownloadSize = %d$sTempURL = %s
API String ID: 272441001-948411225
Opcode ID: 9d538a29006b2c905ccee900795ed6cdc30de5c28e3b0549bbbf2f26181774c2
Instruction ID: 7bf75ead49e523272ac4b220a17d175d209ec671a98f6a1dabb89e255a9142fa
Opcode Fuzzy Hash: 9d538a29006b2c905ccee900795ed6cdc30de5c28e3b0549bbbf2f26181774c2
Instruction Fuzzy Hash: 7322BF71B41218ABDB24DF64CC86FE9B7B8AF09704F0051A9F50DB76C2D7B06A848F91

Uniqueness

Uniqueness Score: -1.00%

Function 00E16DD0 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 210
synchronizationnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00EA97FC,00EB2C08,?,00EB2C08), ref: 00E16E41
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 00E16E67
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00E16E79
WSAGetLastError.WS2_32 ref: 00E16E83
ReleaseMutex.KERNEL32(00000000), ref: 00E16ED2
LeaveCriticalSection.KERNEL32(00EA97FC), ref: 00E16EDD

Strings

c:\rhub2\code\utility\myconfigure.cpp, xrefs: 00E16E9D, 00E16EF4, 00E16FEE
TMCacheFileMutex, xrefs: 00E16E51
</__CACHE__>, xrefs: 00E1701C
failed to open %s for writing, xrefs: 00E16FE4
</__Configure__>, xrefs: 00E17039
MyConfigure::WriteConfigure, xrefs: 00E16EA4, 00E16EFB, 00E16FF5
failed to WaitForSingleObject(CACHE_FILE_MUTEX) error code: %d, error: %s, xrefs: 00E16E93
failed to open %s, xrefs: 00E16EEA

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalMutexSection$CreateEnterErrorLastLeaveObjectReleaseSingleWait
String ID: </__CACHE__>$</__Configure__>$MyConfigure::WriteConfigure$TMCacheFileMutex$c:\rhub2\code\utility\myconfigure.cpp$failed to WaitForSingleObject(CACHE_FILE_MUTEX) error code: %d, error: %s$failed to open %s$failed to open %s for writing
API String ID: 239197533-1363001921
Opcode ID: 661e475ba5cac80e78267845e16357a17dbb72af1893eb39d91336f155c856d8
Instruction ID: b250f68e807d587c63d83246574aad0e1c1796e70319723bd59793c5844869d6
Opcode Fuzzy Hash: 661e475ba5cac80e78267845e16357a17dbb72af1893eb39d91336f155c856d8
Instruction Fuzzy Hash: A9613971644300BFD720AF60DC46FAF37E8AF59B05F042428F94CB6293D7B599898762

Uniqueness

Uniqueness Score: -1.00%

Function 00E0E8E0 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 274
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000200,?,904898A6,?,?,00000000), ref: 00E0E974
GetFileAttributesW.KERNEL32(004C049C,004BFE9C,004C109C,00000200,004BFC9C,004C0C9C,00000200,004BF050,004C089C,00000200,004BEE50,004C049C,00000200,004BEC50,004C009C,00000200), ref: 00E0EBA7
CopyFileW.KERNEL32(004C049C,004C089C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,904898A6), ref: 00E0EBC2
GetFileAttributesW.KERNEL32(004C009C,?,?,?,?,?,?,?,?,?,?,?,?,904898A6), ref: 00E0EBCF
CopyFileW.KERNEL32(004C009C,004C049C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,904898A6), ref: 00E0EBEA
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,904898A6), ref: 00E0EC18

Strings

C:\Users\user~1\AppData\Local\Temp\TMSetup.txt, xrefs: 00E0EA0E, 00E0EAE1
%s%s.txt, xrefs: 00E0E9D5, 00E0EA55
%sServerMemoryLog.txt, xrefs: 00E0EA34
%s.bak, xrefs: 00E0EAC1
%s%s.bak, xrefs: 00E0E9EC, 00E0EA6C
%sClientMemoryLog.bak, xrefs: 00E0EB10
rsp1024h, xrefs: 00E0EA4F, 00E0EA60, 00E0EA77
RunServerLog, xrefs: 00E0E9CF, 00E0E9E0, 00E0E9F7
%sClientMemoryLog.txt, xrefs: 00E0EB04
failed to create log file %s in MyLog::GetWorkingDirectory(), %d, xrefs: 00E0EC2C
Server, xrefs: 00E0E920, 00E0E998
%sServerMemoryLog.bak, xrefs: 00E0EA40
%s%s, xrefs: 00E0EA9B
%s.bak.bak, xrefs: 00E0EAD3
%s%s.bak.bak, xrefs: 00E0EA03, 00E0EA83

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCopy$ErrorLastPathTemp
String ID: %s%s$%s%s.bak$%s%s.bak.bak$%s%s.txt$%s.bak$%s.bak.bak$%sClientMemoryLog.bak$%sClientMemoryLog.txt$%sServerMemoryLog.bak$%sServerMemoryLog.txt$C:\Users\user~1\AppData\Local\Temp\TMSetup.txt$RunServerLog$Server$failed to create log file %s in MyLog::GetWorkingDirectory(), %d$rsp1024h
API String ID: 523701895-2386378874
Opcode ID: e156fdbf5ac3d35a003c117d35492cad9fbec0f6a88f9a9001a9f3beb6711c83
Instruction ID: 795bbfff1a9ed57784a782c5f0510df9a94ef96f7263a576f36d9baae045184c
Opcode Fuzzy Hash: e156fdbf5ac3d35a003c117d35492cad9fbec0f6a88f9a9001a9f3beb6711c83
Instruction Fuzzy Hash: CC9105756003446AE7209B708C46FE7BBEDEF89704F0858A9F59AF73C2E631B5448761

Uniqueness

Uniqueness Score: -1.00%

Function 00E14A40 Relevance: 33.6, APIs: 8, Strings: 11, Instructions: 340
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E01D16: _Deallocate.LIBCONCRT ref: 00E01D25

_strstr.LIBCMT ref: 00E14BDC
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 00E14CC5
GetLastError.KERNEL32(?), ref: 00E14D01

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Part of subcall function 00E16680: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,00E016A1,TMSetupWindow,?,00000200,?,?,?,?,00E75578,000000FF), ref: 00E1669A

GetLastError.KERNEL32 ref: 00E14DB3
ShellExecuteW.SHELL32(00000000,open,?,?,?,00000000), ref: 00E14EB0
GetLastError.KERNEL32 ref: 00E14EBD

Strings

Utility::StartProcess, xrefs: 00E14C52, 00E14C8A, 00E14CE9, 00E14D2B, 00E14D8D, 00E14DD0, 00E14EF0
sCommandLine = %s, sWorkingDirectory = %s, xrefs: 00E14C41
.exe, xrefs: 00E14B31
c:\rhub2\code\utility\utility.cpp, xrefs: 00E14C4B, 00E14C83, 00E14CE2, 00E14D24, 00E14D86, 00E14DC9, 00E14EE9
TurboMeeting, xrefs: 00E14A8C
sCommandLine = %s, xrefs: 00E14D1A
succeeded., xrefs: 00E14CD8
UTF8ToUTF16 is OK, xrefs: 00E14C79
ShellExecute(): iHinstance = %d, iErrorCode = %d, Error = %s, sExecutable = %s, sParameter = %s, xrefs: 00E14EDF
iErrorCode = %d, Error = %s, xrefs: 00E14D0D, 00E14D7C, 00E14DBF
open, xrefs: 00E14EA9

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CriticalSection$ByteCharCreateDeallocateEnterExecuteLeaveMultiProcessShellWide_strstr
String ID: .exe$ShellExecute(): iHinstance = %d, iErrorCode = %d, Error = %s, sExecutable = %s, sParameter = %s$TurboMeeting$UTF8ToUTF16 is OK$Utility::StartProcess$c:\rhub2\code\utility\utility.cpp$iErrorCode = %d, Error = %s$open$sCommandLine = %s$sCommandLine = %s, sWorkingDirectory = %s$succeeded.
API String ID: 2865379995-3469969007
Opcode ID: 27f52485ec42877b9ad0210ed75d680f73fb5ed50877c47a619d5d97b8787682
Instruction ID: f4fa1f20718030b5ce947990b605b5f882bfdaa2f1d620c0776b86688ce60af5
Opcode Fuzzy Hash: 27f52485ec42877b9ad0210ed75d680f73fb5ed50877c47a619d5d97b8787682
Instruction Fuzzy Hash: 97D171B1A40758AADB20DB20CC46FEF76B8AF08705F0455D5F54CB62D2DBB46AC88F94

Uniqueness

Uniqueness Score: -1.00%

Function 00E1FF53 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 186
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E2AB5A: GetWindowLongW.USER32(?,000000F0), ref: 00E2AB67

GetParent.USER32(00000000), ref: 00E1FF8F
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 00E1FFB4
GetWindowRect.USER32(00000000,00000000), ref: 00E1FFD9
GetWindowLongW.USER32(00000000,000000F0), ref: 00E20008
MonitorFromWindow.USER32(00000000,00000001), ref: 00E2003E
GetMonitorInfoW.USER32(00000000), ref: 00E20045
CopyRect.USER32(?,?), ref: 00E20053
GetWindowRect.USER32(00000000,?), ref: 00E20060
MonitorFromWindow.USER32(00000000,00000002), ref: 00E2006D
GetMonitorInfoW.USER32(00000000), ref: 00E20074
CopyRect.USER32(?,?), ref: 00E20082
GetParent.USER32(00000000), ref: 00E2008D
GetClientRect.USER32(00000000,?), ref: 00E2009A
GetClientRect.USER32(00000000,?), ref: 00E200A5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00E200B3

Strings

<:, xrefs: 00E2013B
(, xrefs: 00E20020

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Window$Rect$Monitor$ClientCopyFromInfoLongParent$MessagePointsSend
String ID: ($<:
API String ID: 3610148278-1920419900
Opcode ID: 352fffc4f04617703235f6d4e02a7ce5b4714a114bcd5b28ff9a55b52d9ebbdc
Instruction ID: aaa61ab860443f8751f5d19a6b7ea1efadda25416a7d258b245f76501de62abc
Opcode Fuzzy Hash: 352fffc4f04617703235f6d4e02a7ce5b4714a114bcd5b28ff9a55b52d9ebbdc
Instruction Fuzzy Hash: A3616B72A00229AFDB01CFA8DD88BEEBBB9FF48315F150125E905F7291D734A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E2359E Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E235A8

Part of subcall function 00E2D29E: __EH_prolog3.LIBCMT ref: 00E2D2A5

CallNextHookEx.USER32(?,?,?,?), ref: 00E235E6
GetClassNameW.USER32(?,?,00000100), ref: 00E23686
GetWindowLongW.USER32(?,000000FC), ref: 00E236C5
GetPropW.USER32(?,AfxOldWndProc423), ref: 00E236DB
SetPropW.USER32(?,AfxOldWndProc423,00000000), ref: 00E236F0
GetPropW.USER32(?,AfxOldWndProc423), ref: 00E236FC
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 00E2370F
SetWindowLongW.USER32(?,000000FC,Function_00023437), ref: 00E2371D
CallNextHookEx.USER32(?,00000003,?,?), ref: 00E237A6
UnhookWindowsHookEx.USER32(?), ref: 00E237BA

Strings

#32768, xrefs: 00E2365D, 00E23663, 00E2369C
AfxOldWndProc423, xrefs: 00E236D5, 00E236EA, 00E236F6, 00E2370A

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: HookProp$CallLongNextWindow$AtomClassGlobalH_prolog3H_prolog3_NameUnhookWindows
String ID: #32768$AfxOldWndProc423
API String ID: 3603175632-2141921550
Opcode ID: e72a6651afec260fb8c1216c464b70c07873803b9339f07b344a8c0740835e2a
Instruction ID: 7233ee6585d8489fdc2b1a87e1e30d501144e3ebfcff366d405af8b4298c599d
Opcode Fuzzy Hash: e72a6651afec260fb8c1216c464b70c07873803b9339f07b344a8c0740835e2a
Instruction Fuzzy Hash: 2E51B275940228AFCF21AF61EC8DBAA3B74BF54715F101195F819B72A2DB348E85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E16C30 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 120synchronizationnetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00EA97FC,00000000,00E7B918,?,00000000), ref: 00E16C83
CreateMutexW.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 00E16CA9
WaitForSingleObject.KERNEL32(00000000,00001388,?,?,00000000), ref: 00E16CB7
WSAGetLastError.WS2_32(?,?,00000000), ref: 00E16CC1
ReleaseMutex.KERNEL32(00000000,?,?,?,?,00000000), ref: 00E16D0D
LeaveCriticalSection.KERNEL32(00EA97FC,?,?,?,?,00000000), ref: 00E16D18
__fread_nolock.LIBCMT ref: 00E16D6A

Part of subcall function 00E13080: _strstr.LIBCMT ref: 00E130AD
Part of subcall function 00E13080: _strstr.LIBCMT ref: 00E130BD

ReleaseMutex.KERNEL32(00000000), ref: 00E16D9B
LeaveCriticalSection.KERNEL32(00EA97FC), ref: 00E16DA6

Strings

c:\rhub2\code\utility\myconfigure.cpp, xrefs: 00E16CD8, 00E16D2C
TMCacheFileMutex, xrefs: 00E16C93
failed to WaitForSingleObject(CACHE_FILE_MUTEX) error code: %d, error: %s, xrefs: 00E16CD1
MyConfigure::ReadConfigure, xrefs: 00E16CDF, 00E16D33
failed to open %s, xrefs: 00E16D25

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalMutexSection$LeaveRelease_strstr$CreateEnterErrorLastObjectSingleWait__fread_nolock
String ID: MyConfigure::ReadConfigure$TMCacheFileMutex$c:\rhub2\code\utility\myconfigure.cpp$failed to WaitForSingleObject(CACHE_FILE_MUTEX) error code: %d, error: %s$failed to open %s
API String ID: 3965872043-1612011626
Opcode ID: 0e054e2b5acaa14b0daf09188819fca3b54d9f4780e7e10c90b1009bbf02a8d6
Instruction ID: 25a28d3035cd5986cc017344f36e6661578618ea66fd170ca5634b6a117028b7
Opcode Fuzzy Hash: 0e054e2b5acaa14b0daf09188819fca3b54d9f4780e7e10c90b1009bbf02a8d6
Instruction Fuzzy Hash: ED41A5B1644300BFD710EB60AC82FAF77E8EF5A701F045429FA4CF6292D6B194898767

Uniqueness

Uniqueness Score: -1.00%

Function 00E56A6E Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E5673C: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00E56759

GetLastError.KERNEL32 ref: 00E56B82
__dosmaperr.LIBCMT ref: 00E56B89
GetFileType.KERNEL32(00000000), ref: 00E56B95
GetLastError.KERNEL32 ref: 00E56B9F
__dosmaperr.LIBCMT ref: 00E56BA8
CloseHandle.KERNEL32(00000000), ref: 00E56BC8
CloseHandle.KERNEL32(?), ref: 00E56D12
GetLastError.KERNEL32 ref: 00E56D44
__dosmaperr.LIBCMT ref: 00E56D4B

Strings

H, xrefs: 00E56CD0

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 366870a08e759327ae273939fed507c38e0c336ff7dd09fb9095686aab409466
Instruction ID: 1cee45edb384ebbabea4b66743b8327af6febde47176879bdf50e64beac2b2d6
Opcode Fuzzy Hash: 366870a08e759327ae273939fed507c38e0c336ff7dd09fb9095686aab409466
Instruction Fuzzy Hash: BCA12432A001449FCF19EF68D8457AE7BE0EB46325F141659EC11FB392DB319D1ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E0EEE0 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 422COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Strings

Line: , xrefs: 00E0F25F
failed to create log file %s in MyLog::GetWorkingDirectory(), xrefs: 00E0EF66
Message: , xrefs: 00E0F2E6
failed to create log file %s in MyLog::GetWorkingDirectory(), %d, xrefs: 00E0F498
Function: , xrefs: 00E0F0D1

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Function: $Line: $Message: $failed to create log file %s in MyLog::GetWorkingDirectory()$failed to create log file %s in MyLog::GetWorkingDirectory(), %d
API String ID: 3168844106-992174833
Opcode ID: b0193f7ea514c6b98491f346255dd6c82e375800393c81a44dcd98f39e2fae3c
Instruction ID: dde7bd254df423191ef004f4cca19f49b8528072aa2c61d186ff581247208d4d
Opcode Fuzzy Hash: b0193f7ea514c6b98491f346255dd6c82e375800393c81a44dcd98f39e2fae3c
Instruction Fuzzy Hash: 250201B19002088FDB25DB24CC84BDEB7B9EF45304F0096E8E519BB292D775AAD88B55

Uniqueness

Uniqueness Score: -1.00%

Function 00E23437 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00E2343E
GetPropW.USER32(?,AfxOldWndProc423), ref: 00E23455
CallWindowProcW.USER32(?,?,00000110,?,?), ref: 00E234B9

Part of subcall function 00E239A1: GetWindowRect.USER32(?,?), ref: 00E239E2
Part of subcall function 00E239A1: GetWindow.USER32(?,00000004), ref: 00E239FF

SetWindowLongW.USER32(?,000000FC,00000000), ref: 00E234D9
RemovePropW.USER32(?,AfxOldWndProc423), ref: 00E234E6
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 00E234ED
GlobalDeleteAtom.KERNEL32(?), ref: 00E234F7

Part of subcall function 00E23A4C: GetWindowRect.USER32(?,00000360), ref: 00E23A59

CallWindowProcW.USER32(?,?,?,?,?), ref: 00E2354E

Strings

AfxOldWndProc423, xrefs: 00E23449, 00E234DF, 00E234E4, 00E234EC

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catch_LongRemove
String ID: AfxOldWndProc423
API String ID: 3351853316-1060338832
Opcode ID: ace630ec3c8654fa4ce6a7f2f8dd9bf0916e356e8951b776ca3a87ced2d1732b
Instruction ID: 887f61b3ad0c5d795ae0cf215825ed362d5fbf11cf1e4b12342a055b3a0aa968
Opcode Fuzzy Hash: ace630ec3c8654fa4ce6a7f2f8dd9bf0916e356e8951b776ca3a87ced2d1732b
Instruction Fuzzy Hash: C9315271900228AFDF05EFB5EC498BEBBB9BF48710B006519F51AB2152DA398E449F60

Uniqueness

Uniqueness Score: -1.00%

Function 00E0247E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000080,00000001,?), ref: 00E0249F
SendMessageW.USER32(?,00000080,00000000,?), ref: 00E024AD
GetDC.USER32(?), ref: 00E024B2
GetDeviceCaps.GDI32(?,00000058), ref: 00E024C9
ReleaseDC.USER32(?,?), ref: 00E024EC
GetWindowRect.USER32(?,?), ref: 00E02514
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E02569
KiUserCallbackDispatcher.NTDLL(00EAF330,00000000,00000000,00000000,00000000,00000053,00EAF430,00000000,00000000,00000000,00000000,00000053), ref: 00E0258F

Strings

PCSetup, xrefs: 00E024F2

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CallbackCapsDeviceDispatcherRectReleaseUserWindow
String ID: PCSetup
API String ID: 682895369-361480226
Opcode ID: 1d1c4af1dbd13d6ea06dbb11d680652bc8a2f931cbf778804b0547775d9861ef
Instruction ID: bd209fdc125f48a3417f9633391c26e04b0f910a2342609255e23b3baf47eba0
Opcode Fuzzy Hash: 1d1c4af1dbd13d6ea06dbb11d680652bc8a2f931cbf778804b0547775d9861ef
Instruction Fuzzy Hash: D031F1313016217BDA266771DC4AFEFBE6ABF4A750F005214B20D760E2CFA06896D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2CF8E Relevance: 15.1, APIs: 10, Instructions: 111memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000001C,?,?,00000000), ref: 00E2CFA3
GlobalAlloc.KERNEL32(00000002,00000000,?,?,00000000), ref: 00E2CFFE
GlobalHandle.KERNEL32(00000010), ref: 00E2D008
GlobalUnlock.KERNEL32(00000000,?,?,00000000), ref: 00E2D011
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00E2D02B
GlobalLock.KERNEL32(00000000,?,?,00000000), ref: 00E2D036
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00E2D080
GlobalHandle.KERNEL32(00000010), ref: 00E2D094
GlobalLock.KERNEL32(00000000,?,?,00000000), ref: 00E2D09B
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00E2D0A5

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: fd1397aeb6edb3efe9766c22829964390aa7318cb182e967f8b154ef4e18429b
Instruction ID: 80c7bee6b6aa25389a45af586ac0bbb26b584e9c0f9b2c79d55007f506fafd87
Opcode Fuzzy Hash: fd1397aeb6edb3efe9766c22829964390aa7318cb182e967f8b154ef4e18429b
Instruction Fuzzy Hash: D741F271600324AFDB24DF64EC89F9977FAEF44304F104469E446E72A1DB70AD89CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E0304C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E03056

Part of subcall function 00E297CE: __EH_prolog3.LIBCMT ref: 00E297D5
Part of subcall function 00E297CE: BeginPaint.USER32(?,?,00000004,00E02671,?,00000088), ref: 00E29801

GetWindowRect.USER32(?,?), ref: 00E03080
SetRect.USER32(?,00000000,00000000,?,?), ref: 00E030A0
GetClientRect.USER32(?,?), ref: 00E030A9
SetRect.USER32(?,00000000,00000000,?,?), ref: 00E030C3

Part of subcall function 00E2C0A5: SetBkColor.GDI32(00000000,?), ref: 00E2C0C1
Part of subcall function 00E2C0A5: ExtTextOutW.GDI32(00000000,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00E2C0D6

Part of subcall function 00E2AB5A: GetWindowLongW.USER32(?,000000F0), ref: 00E2AB67

SendMessageW.USER32(?,00000408,00000000,00000000), ref: 00E03125
SendMessageW.USER32(?,00000408,00000000,00000000), ref: 00E03184

Part of subcall function 00E2C256: SendMessageW.USER32(?,00000407,00000000,?), ref: 00E2C269

Strings

06@, xrefs: 00E030C5

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Rect$MessageSend$Window$BeginClientColorH_prolog3H_prolog3_LongPaintText
String ID: 06@
API String ID: 2614379232-619375719
Opcode ID: 8d02aeebae9b0410085271c1eaf82fdd3531c9591b4a4f0646d61fd7bdc0a7f8
Instruction ID: 5c5afba05db0dedbaea330b9f19d5211735ffa207daa05bda72e71279831408a
Opcode Fuzzy Hash: 8d02aeebae9b0410085271c1eaf82fdd3531c9591b4a4f0646d61fd7bdc0a7f8
Instruction Fuzzy Hash: 5F41F972E00129AFDF14DFB4DD85EEEB7B9BF59300F105159E609F6192DA70AA84CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E1D7B1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 118libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Comctl32.dll,00000000,00000000,00000002,Comctl32.dll,00000040), ref: 00E1D947

Part of subcall function 00E1D70D: GetProcAddress.KERNEL32(00000000,O), ref: 00E1D73B

GetModuleFileNameW.KERNEL32(?,?,00000105,?,00E24F6F,?,00E9AA90,00000010,00E1F325,?), ref: 00E1D861
SetLastError.KERNEL32(0000006F,?,00E24F6F,?,00E9AA90,00000010,00E1F325,?), ref: 00E1D875
GetLastError.KERNEL32(00000020), ref: 00E1D8CC

Strings

Comctl32.dll, xrefs: 00E1D933, 00E1D938, 00E1D946
GetModuleHandleExW, xrefs: 00E1D814
@, xrefs: 00E1D922
, xrefs: 00E1D880

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$AddressFileLibraryLoadModuleNameProc
String ID: $@$Comctl32.dll$GetModuleHandleExW
API String ID: 3640817601-4183358198
Opcode ID: 23bbc1de5c9d777e056f3a00c37efedae51e285d3fc654a67aa4ddc4cc45a958
Instruction ID: 7cb3e074069b3a89bfe1332319442018512ee1a68d5817944d3088f82929f493
Opcode Fuzzy Hash: 23bbc1de5c9d777e056f3a00c37efedae51e285d3fc654a67aa4ddc4cc45a958
Instruction Fuzzy Hash: A341B471908314AAEF249B65DC89BED73B8EB89714F1412A7E518F21D0DBB49EC4CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E61A63 Relevance: 13.8, APIs: 9, Instructions: 299COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0d2fa3ce26d103eb2240007e2bd711b6a0184f408eb11acaa38fd1e0738ed5
Instruction ID: 0a153056c48343e0130351fe9713cf88de45db30549d35c6c84d57c1fabb5cae
Opcode Fuzzy Hash: 2e0d2fa3ce26d103eb2240007e2bd711b6a0184f408eb11acaa38fd1e0738ed5
Instruction Fuzzy Hash: 59B14570E442459FCB16DFA9E885BAEBBF0BF49344F181188E801BB392C7309D01CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E74CA0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

https=, xrefs: 00E74DBA
socks=, xrefs: 00E74E4D

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Delete_strstr$EnterLeaveValue___report_securityfailure
String ID: https=$socks=
API String ID: 1360646552-2412867611
Opcode ID: 061407e054fae78ddc6365bc24bd678bd9d1ec7d38fa94ef98d13cb1e60f909d
Instruction ID: 2f2920af2067cae2d9f27f0417941234bd59c1581b5da9d42083c5519aa18ea9
Opcode Fuzzy Hash: 061407e054fae78ddc6365bc24bd678bd9d1ec7d38fa94ef98d13cb1e60f909d
Instruction Fuzzy Hash: B1717DB1A40349ABDF11DF90DC05EEE7BBAEF55308F04A014FA19BB291D7329915DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E625F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00E8A000), ref: 00E62662
WideCharToMultiByte.KERNEL32(00000000,00000000,W. Europe Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00E626DA
WideCharToMultiByte.KERNEL32(00000000,00000000,W. Europe Summer Time,000000FF,?,0000003F,00000000,?), ref: 00E62707
_free.LIBCMT ref: 00E62650

Part of subcall function 00E5D0F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00E5B4AC,?,?), ref: 00E5D10B
Part of subcall function 00E5D0F5: GetLastError.KERNEL32(?,?,00E5B4AC,?,?), ref: 00E5D11D

_free.LIBCMT ref: 00E6281C

Strings

W. Europe Summer Time, xrefs: 00E62700
W. Europe Standard Time, xrefs: 00E626D3

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID: W. Europe Standard Time$W. Europe Summer Time
API String ID: 1286116820-690618308
Opcode ID: 6dfbb2cdc69ea31b9f6f81e56f9d58a50a64ed3056bd4bd16cd8cab93853a235
Instruction ID: 1120d307e592b37c8943d35f22381f4e2c18fa7e76ab30816eaef61ba2ac475d
Opcode Fuzzy Hash: 6dfbb2cdc69ea31b9f6f81e56f9d58a50a64ed3056bd4bd16cd8cab93853a235
Instruction Fuzzy Hash: F0513B71940609AFDB20DF75EC859AF77F8EF84390B10226EE654B3192DB30AE45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E2FA4A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 29libraryloadernetworkCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(shell32.dll,00000000,00E1F2E7,?,?,?,?,00E2B4BF,000FC000,00000010,00000040,00E2B6C4,?,?,?), ref: 00E2FA59
GetProcAddress.KERNEL32(00000000,InitNetworkAddressControl), ref: 00E2FA69
EncodePointer.KERNEL32(00000000,?,?,?,?,00E2B4BF,000FC000,00000010,00000040,00E2B6C4,?,?,?,?,?,00E2B696), ref: 00E2FA72
DecodePointer.KERNEL32(14DBB410,00000000,00E1F2E7,?,?,?,?,00E2B4BF,000FC000,00000010,00000040,00E2B6C4,?,?,?), ref: 00E2FA80
InitNetworkAddressControl.SHELL32(?,?,?,?,00E2B4BF,000FC000,00000010,00000040,00E2B6C4,?,?,?,?,?,00E2B696,00000000), ref: 00E2FA94

Strings

InitNetworkAddressControl, xrefs: 00E2FA63
shell32.dll, xrefs: 00E2FA54

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressPointer$ControlDecodeEncodeHandleInitModuleNetworkProc
String ID: InitNetworkAddressControl$shell32.dll
API String ID: 3303222225-1950653938
Opcode ID: f68eb1947f622e5c0f1bccc4a5263bb4d93d9f57ccd8b8c827e332a92033a79c
Instruction ID: 32b7587574342028650edae284e72ba4ac045b79ed74c3cb58190d0e330b9b39
Opcode Fuzzy Hash: f68eb1947f622e5c0f1bccc4a5263bb4d93d9f57ccd8b8c827e332a92033a79c
Instruction Fuzzy Hash: 62E01271E01632AF9B20EBB2BD0CDA937B8EF157423051575FD0EF6265EB248C458790

Uniqueness

Uniqueness Score: -1.00%

Function 00E028BD Relevance: 12.2, APIs: 8, Instructions: 172windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E028C7
__swprintf.LEGACY_STDIO_DEFINITIONS ref: 00E02A1E
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E02A4B

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_MessageSend__swprintf
String ID:
API String ID: 1693283446-0
Opcode ID: 8f98e0e01925c2cd98ebaea7b88a3d9fd21163424e5f6b0a6357c66ab2d72dd0
Instruction ID: c90b10b99418a9a595d84054d7f90e1f319546b7b77d1f7130aa48e8c7759680
Opcode Fuzzy Hash: 8f98e0e01925c2cd98ebaea7b88a3d9fd21163424e5f6b0a6357c66ab2d72dd0
Instruction Fuzzy Hash: 7B616F71910228AAEB25EB74CC96FDEB7B9AF44300F1016E9E60977182DEB05EC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E2E059 Relevance: 12.0, APIs: 8, Instructions: 34COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 00E2E05F
GetSystemMetrics.USER32(0000000C), ref: 00E2E06A
GetSystemMetrics.USER32(00000002), ref: 00E2E075
GetSystemMetrics.USER32(00000003), ref: 00E2E083
GetDC.USER32(00000000), ref: 00E2E091
GetDeviceCaps.GDI32(00000000,00000058), ref: 00E2E09C
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E2E0A8
ReleaseDC.USER32(00000000,00000000), ref: 00E2E0B4

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 01c4b2bc4eb5d6fab6bd686315a2561b1d6283c043e8a42186d80b48ce083f53
Instruction ID: e3f46cf6879c79fe4a919e45ada3f6da9871a248d9d995bbcb474ea9409d59fb
Opcode Fuzzy Hash: 01c4b2bc4eb5d6fab6bd686315a2561b1d6283c043e8a42186d80b48ce083f53
Instruction Fuzzy Hash: A9F0F9B1A40720AFE7119FF2BC0DB867B64FF49712F004525F70AEA191DBB584898FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E5502E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(\O,?,00000000,00000000), ref: 00E55050
GetFileInformationByHandle.KERNEL32(\O,?), ref: 00E550AA

Part of subcall function 00E55361: __dosmaperr.LIBCMT ref: 00E553A4

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00E54F5C,?,000000FF,00000000), ref: 00E55139
__dosmaperr.LIBCMT ref: 00E55140
PeekNamedPipe.KERNEL32(\O,00000000,00000000,00000000,?,00000000), ref: 00E5517D

Strings

\O, xrefs: 00E55044, 00E5504C, 00E550A9, 00E5517C

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID: \O
API String ID: 1206951868-2357557095
Opcode ID: 0d40c0482b9729b72419164c4bd48de0c0d5aa2966ed258f7ba4535edfdc087e
Instruction ID: 46bcc3ab1ad1aae60c117f3e02e153a27fa64414aae43b0056ddc27313dba43b
Opcode Fuzzy Hash: 0d40c0482b9729b72419164c4bd48de0c0d5aa2966ed258f7ba4535edfdc087e
Instruction Fuzzy Hash: 47415E76901A04AFCB24DFB5DD55AAFBBF9EF88301B10591DF856E3610EB309844CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E22E14 Relevance: 10.6, APIs: 7, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E22E41
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E22E65
UpdateWindow.USER32(?), ref: 00E22E7F
SendMessageW.USER32(?,00000121,?,?), ref: 00E22EA2
SendMessageW.USER32(?,0000036A,00000000,?), ref: 00E22EB9
UpdateWindow.USER32(?), ref: 00E22F0A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E22F53

Part of subcall function 00E2AB5A: GetWindowLongW.USER32(?,000000F0), ref: 00E2AB67

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 9f016db03184fb3e2f1ef736d75c28961223cf35c8cbfe26e1059a6de80c9219
Instruction ID: d94465763f779731efb5892636860cdb5c57cab2e42cbf8b5a9a73e0ec015164
Opcode Fuzzy Hash: 9f016db03184fb3e2f1ef736d75c28961223cf35c8cbfe26e1059a6de80c9219
Instruction Fuzzy Hash: AB41A431B00225BBEB269FA5ED49BAD7BB4BF04718F15506CF605B61D1C7B0AD40EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E5D324 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 00E5D37A
ext-ms-, xrefs: 00E5D38E

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 196223b5798cec548c631cf156c5345504eaac9d1ad4c97f98e4ce8acf9918cc
Instruction ID: faa23287353f91e914fbc07278b43ae329f080a0fcf9de5b2740ab48cdb3728c
Opcode Fuzzy Hash: 196223b5798cec548c631cf156c5345504eaac9d1ad4c97f98e4ce8acf9918cc
Instruction Fuzzy Hash: C421EE31E09315EFCB319B259C40BAA3758DF41765F151E20FC1AB72A1D630DC08C6D2

Uniqueness

Uniqueness Score: -1.00%

Function 00E02657 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E02661

Part of subcall function 00E297CE: __EH_prolog3.LIBCMT ref: 00E297D5
Part of subcall function 00E297CE: BeginPaint.USER32(?,?,00000004,00E02671,?,00000088), ref: 00E29801

GetClientRect.USER32(?,?), ref: 00E02684
CreateRoundRectRgn.GDI32(?,?,?,?,00000002,00000002), ref: 00E026BC
CreateRoundRectRgn.GDI32(?,?,?,?,00000002,00000002), ref: 00E026DE

Part of subcall function 00E29721: __EH_prolog3.LIBCMT ref: 00E29728
Part of subcall function 00E29721: CreateSolidBrush.GDI32(?), ref: 00E29743

FrameRgn.GDI32(?,?,?,00000001,00000001), ref: 00E02712
FrameRgn.GDI32(?,?,?,00000001,00000001), ref: 00E02732

Part of subcall function 00E29958: EndPaint.USER32(?,?,904898A6,?,?,00E75970,000000FF), ref: 00E2998A

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CreateRect$FrameH_prolog3PaintRound$BeginBrushClientH_prolog3_Solid
String ID:
API String ID: 2703551133-0
Opcode ID: 26f427f573bdfade5f884ca8be918927a2ca0e69604af12aed775f5a016ddfb6
Instruction ID: 4f788a3d7c8f56e9e4ecec0230ec3459fa676d66dec59ab888bdbf9d5c3992d7
Opcode Fuzzy Hash: 26f427f573bdfade5f884ca8be918927a2ca0e69604af12aed775f5a016ddfb6
Instruction Fuzzy Hash: 5F31E470D00128AADF25EBA5DC46EEEBBB4FF54300F50909AE549B3292DB701E85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00E3F273 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 145COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000000,?), ref: 00E3F2AE
PathFindExtensionW.SHLWAPI(?,?,00000000,?), ref: 00E3F2C8

Part of subcall function 00E29071: __CxxThrowException@8.LIBVCRUNTIME ref: 00E29085

Strings

.INI, xrefs: 00E3F3F7
.CHM, xrefs: 00E3F3AD
.HLP, xrefs: 00E3F3C3, 00E3F3C8

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8ExtensionFileFindModuleNamePathThrow
String ID: .CHM$.HLP$.INI
API String ID: 1938139466-4017452060
Opcode ID: 7e12b13aa0289e8b9b479fc2de24471c9d8191dded5065d238fd082df85ad8b2
Instruction ID: 714b1440c6ea7463ca61864b077fc7ff982e080d580b50a841206631cab9cbf2
Opcode Fuzzy Hash: 7e12b13aa0289e8b9b479fc2de24471c9d8191dded5065d238fd082df85ad8b2
Instruction Fuzzy Hash: FE4181B1A007199ADB20EB74CD49B9BB7ECAF44314F54687AE545F3682EF70D984CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E2B471 Relevance: 7.7, APIs: 5, Instructions: 155COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00E2B478
GlobalLock.KERNEL32(00000000,?,?), ref: 00E2B57D
DestroyWindow.USER32(?,?,?,?,00E2B2A3,00000000), ref: 00E2B64E
GlobalUnlock.KERNEL32(00000000,?,?,?,00E2B2A3,00000000), ref: 00E2B65B
GlobalFree.KERNEL32(00000000), ref: 00E2B662

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Global$DestroyFreeH_prolog3_catchLockUnlockWindow
String ID:
API String ID: 571947920-0
Opcode ID: 9639383249bc9d28e012d7f0750ff528b0277437e727a75fdb67be2afc1a455a
Instruction ID: 908a54b62d6f571632a73f30292cf6c63138eba245f0a652f4769d941dbe55fa
Opcode Fuzzy Hash: 9639383249bc9d28e012d7f0750ff528b0277437e727a75fdb67be2afc1a455a
Instruction Fuzzy Hash: D4517F31E00229DFCF15EFA4D885AEEBBB5BF08304F145159E911B72A2DB749E45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2CE4E Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(?,904898A6,?,?,?,00E773AE,000000FF), ref: 00E2CE95
GlobalHandle.KERNEL32(00000000), ref: 00E2CEA4
GlobalUnlock.KERNEL32(00000000,?,?,?,00E773AE,000000FF), ref: 00E2CEAD
GlobalFree.KERNEL32(00000000), ref: 00E2CEB4
DeleteCriticalSection.KERNEL32(?,904898A6,?,?,?,00E773AE,000000FF), ref: 00E2CEBE

Part of subcall function 00E2D0B1: EnterCriticalSection.KERNEL32(?,00000001,00000000,00000010,?,?,00000000), ref: 00E2D12C
Part of subcall function 00E2D0B1: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000), ref: 00E2D13F
Part of subcall function 00E2D0B1: LocalFree.KERNEL32(?,?,?,00000000), ref: 00E2D148
Part of subcall function 00E2D0B1: TlsSetValue.KERNEL32(?,00000000,?,?,00000000), ref: 00E2D164

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: 12f4f33ae25ebc26ba9f27ed5e1b50d69197867cad9f8b904877586771eeb4d3
Instruction ID: 75651e8f37694f9c1d96c1de83f5fc92269ddca6f64a02e26651db0dc1b46b94
Opcode Fuzzy Hash: 12f4f33ae25ebc26ba9f27ed5e1b50d69197867cad9f8b904877586771eeb4d3
Instruction Fuzzy Hash: DE01CC31600616EFCB20DF25EC08B6ABBA8FF05724F110225F816A32A0CB30A855CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00E26E3E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00E81920,00000000,00000001,00000000), ref: 00E26E83
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000004), ref: 00E26EA4
RegCloseKey.ADVAPI32(00000000), ref: 00E26EE8

Strings

g, xrefs: 00E26E5B

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: g
API String ID: 3677997916-3113042404
Opcode ID: ec825e316a188a9402c789f237c8b1be3daf17d371d0e84144d9e25f44a3f803
Instruction ID: 83acfd02b4cb492218d165598a8043397aeb3b5fda263c4c76bfc82a8dfbaf80
Opcode Fuzzy Hash: ec825e316a188a9402c789f237c8b1be3daf17d371d0e84144d9e25f44a3f803
Instruction Fuzzy Hash: F8215E76A10214FFEF10CF91DC85BAEB7B4FF1131AF119558E415B6080E7B4AA48CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E13A80 Relevance: 6.1, APIs: 4, Instructions: 55processCOMMON

Download Yara Rule

APIs

Part of subcall function 00E16680: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,00E016A1,TMSetupWindow,?,00000200,?,?,?,?,00E75578,000000FF), ref: 00E1669A

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E13AB9
Process32FirstW.KERNEL32(00000000,00000002), ref: 00E13AD3
Process32NextW.KERNEL32(00000000,?), ref: 00E13B07
CloseHandle.KERNEL32(00000000,00000002,00000000,?,00000000,75C95D50), ref: 00E13B15

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Process32$ByteCharCloseCreateFirstHandleMultiNextSnapshotToolhelp32Wide
String ID:
API String ID: 4013288513-0
Opcode ID: e6cb993f169d0530de7c7f72b325021fcd1c7abcbebdacbc51f68b6469a3fc0e
Instruction ID: bf989f1dfd7d81e560f18627b265b336b23af9048115f0bbc13b10c4921a7f31
Opcode Fuzzy Hash: e6cb993f169d0530de7c7f72b325021fcd1c7abcbebdacbc51f68b6469a3fc0e
Instruction Fuzzy Hash: 9E11CC712066016BD620FB30EC45FEFB7ED9F95354F445519F848A3283E6359A48C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E26586 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00E265AA
PathFindExtensionW.SHLWAPI(?), ref: 00E265C0

Part of subcall function 00E25F1E: __EH_prolog3_GS.LIBCMT ref: 00E25F28

Strings

%Ts%Ts.dll, xrefs: 00E265CD

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ExtensionFileFindH_prolog3_ModuleNamePath
String ID: %Ts%Ts.dll
API String ID: 3433622546-1896370695
Opcode ID: a741856caa96f46ad79c550cf50c5771f4dd7d203d643a90ec1a6978e0445568
Instruction ID: 201cfc2c6020064884a8e9dfb9753a147622107de0d0d88fc9576cbffdf01a2e
Opcode Fuzzy Hash: a741856caa96f46ad79c550cf50c5771f4dd7d203d643a90ec1a6978e0445568
Instruction Fuzzy Hash: 2C018671A00118ABDB11EBA4ED49AEF77FCEF09710F4105A6A505F7180EB70EA498B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E3F215 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,00E33278,00000000,?,00E32FEE,904898A6,00000000), ref: 00E3F21B
SetErrorMode.KERNEL32(00000000,?,?,00000000,?,?,00000000,?,00E33278,00000000,?,00E32FEE,904898A6,00000000), ref: 00E3F227

Part of subcall function 00E3F273: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000000,?), ref: 00E3F2AE
Part of subcall function 00E3F273: PathFindExtensionW.SHLWAPI(?,?,00000000,?), ref: 00E3F2C8

Strings

/, xrefs: 00E3F24D

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode$ExtensionFileFindModuleNamePath
String ID: /
API String ID: 1764437154-3878498614
Opcode ID: 0f6b1c6484e43afb12cb9e24e86d88b2e142e4c279b1f918ee3b5a6e9a5ab973
Instruction ID: 6cc1724e77c9237142919a8042277dce932681116d002e86d14b9145fc8764f6
Opcode Fuzzy Hash: 0f6b1c6484e43afb12cb9e24e86d88b2e142e4c279b1f918ee3b5a6e9a5ab973
Instruction Fuzzy Hash: C3F09A719157048FDB10FF69E80DB4A7FE8AF04314F019069F448AB2A3D731C892CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E60423 Relevance: 4.7, APIs: 3, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94385a803544b6f4d2c7acc46b861d148ea30a69bf4c964601eaf25aae200948
Instruction ID: 3753009a598c1aeaca1a5eebb05fb3e2a4002bb5458b3fb54289d914e2912fec
Opcode Fuzzy Hash: 94385a803544b6f4d2c7acc46b861d148ea30a69bf4c964601eaf25aae200948
Instruction Fuzzy Hash: 4E61D271E4022AAFDB21DFA8E845BEFB7B8FF49394F046551E401B7292D770AD008B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E62753 Relevance: 4.6, APIs: 3, Instructions: 80COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E627C6
_free.LIBCMT ref: 00E6281C

Part of subcall function 00E625F8: _free.LIBCMT ref: 00E62650
Part of subcall function 00E625F8: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00E8A000), ref: 00E62662
Part of subcall function 00E625F8: WideCharToMultiByte.KERNEL32(00000000,00000000,W. Europe Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00E626DA
Part of subcall function 00E625F8: WideCharToMultiByte.KERNEL32(00000000,00000000,W. Europe Summer Time,000000FF,?,0000003F,00000000,?), ref: 00E62707

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 6b2e8287ad0fa79e67b28fb59ad436f76cff913eb128affb717b3a35b72ebed9
Instruction ID: f838aa0169aba1a44d28ac9f6db75bdf87bff0afbe48e96d4db281356a76e096
Opcode Fuzzy Hash: 6b2e8287ad0fa79e67b28fb59ad436f76cff913eb128affb717b3a35b72ebed9
Instruction Fuzzy Hash: 78218132C4451A5BD7349735AC89EEF73B8DB813E0F10225EEA94731C0EF306D8596A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E57AE3 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,00E0EC8E,?,00E57A19,00E0EC8E,00E9D560,0000000C,00E57AC1,00E9D360), ref: 00E57B39
GetLastError.KERNEL32(?,00E57A19,00E0EC8E,00E9D560,0000000C,00E57AC1,00E9D360), ref: 00E57B43
__dosmaperr.LIBCMT ref: 00E57B6E

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 36b51cdfdea4612aa5676bd08d63cf56e55a6290eeef364b4b491fdcd0ce5b16
Instruction ID: 1220ca06b9a4cb677ea14209a499ec43ec061c7a198ab2f6edba7856e8abf411
Opcode Fuzzy Hash: 36b51cdfdea4612aa5676bd08d63cf56e55a6290eeef364b4b491fdcd0ce5b16
Instruction Fuzzy Hash: 1701893271C5301AC6645234B889B7F678A4BC2B3AF292F58FC48FB1D3DA608CD98190

Uniqueness

Uniqueness Score: -1.00%

Function 00E54E2C Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00E01C1D,?,Function_00054CCE,00000000,?,00E01C1D), ref: 00E54E75
GetLastError.KERNEL32(?,?,?,?,00E0E598,00000000,00000000,VWh`,?,00000000), ref: 00E54E81
__dosmaperr.LIBCMT ref: 00E54E88

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 8e85b6cd57cd34fd09f0158ca9dbcfc7f71550c13fca160dd9ada4f2a701d074
Instruction ID: 5cb385e0975659a5b483c71589c71e85767840fa4f20d5dff8d0b2c81344d92a
Opcode Fuzzy Hash: 8e85b6cd57cd34fd09f0158ca9dbcfc7f71550c13fca160dd9ada4f2a701d074
Instruction Fuzzy Hash: BE0180B2500219AFDF159FA1DC0A9AE7BB4FF0036AF105458FC05AA2D0DB319994D790

Uniqueness

Uniqueness Score: -1.00%

Function 00E61F0A Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,004BEC50,00000002,00E0EC8E,00000000,004BEC50,00E0EC8E,00E9D360,00E9D360,?,00E61FB9,00E0EC8E,004BEC50,00000002,00000000), ref: 00E61F43
GetLastError.KERNEL32(?,00E61FB9,00E0EC8E,004BEC50,00000002,00000000,?,00E604D6,00E0EC8E,00000000,00000000,00000002,004BEC50,00E0EC8E,00E0EC8E,00E4F84C), ref: 00E61F4D
__dosmaperr.LIBCMT ref: 00E61F54

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 73abca1e18cdcc6ac56b54add3931bd0c7bc893921b4e83b9375d0df6e10d0f0
Instruction ID: 6d926b62e9fccb6acc7e69a915837c4a346f0c46d2636c43f3c7bf19867d9de3
Opcode Fuzzy Hash: 73abca1e18cdcc6ac56b54add3931bd0c7bc893921b4e83b9375d0df6e10d0f0
Instruction Fuzzy Hash: F2012D327101146FCB059F99FC058AE376AFF853607281248F815B7291E731DD509790

Uniqueness

Uniqueness Score: -1.00%

Function 00E2538C Relevance: 4.5, APIs: 3, Instructions: 46windowCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000030,00000000,00000000,00000000), ref: 00E252C5
TranslateMessage.USER32(00000030), ref: 00E252E4
DispatchMessageW.USER32(00000030), ref: 00E252EB

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Message$CallbackDispatchDispatcherTranslateUser
String ID:
API String ID: 2960505505-0
Opcode ID: bf40450ab14273e080768b6c4230e6e01653560e8bff61f7821e87e08bb86ad0
Instruction ID: f3cc60062a81c6db05144f6595ff72282ad49bd36ec697af88fe86b11bbcbfb9
Opcode Fuzzy Hash: bf40450ab14273e080768b6c4230e6e01653560e8bff61f7821e87e08bb86ad0
Instruction Fuzzy Hash: EFF04F33311831AB8712AB39BE448FE67ADFF863623452026F805F7155DB34DD869AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E01F1A Relevance: 4.5, APIs: 3, Instructions: 42windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E01F21
LoadIconW.USER32(?,00000080), ref: 00E01FA4
CreateSolidBrush.GDI32(00403630), ref: 00E01FB5

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: BrushCreateH_prolog3IconLoadSolid
String ID:
API String ID: 2092048932-0
Opcode ID: 7783d09f9e3e2aad122a73b391c0e93c8ae419d92a75b0a0406b8d6f9753446a
Instruction ID: 4857db159f8780e5486ee34e344307dee4d594a6ee6aa5e3e3012e0eca8c98e6
Opcode Fuzzy Hash: 7783d09f9e3e2aad122a73b391c0e93c8ae419d92a75b0a0406b8d6f9753446a
Instruction Fuzzy Hash: 08113CB0A01706BEC705EFB5988A7C9FBE0BF18300F50961DE11C67382CB716264CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00E54D83 Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00E5CF9F: GetLastError.KERNEL32(?,?,?,00E4EA47,00E5D11B,?,?,00E5B4AC,?,?), ref: 00E5CFA4
Part of subcall function 00E5CF9F: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E5B4AC,?,?), ref: 00E5CFCA

ExitThread.KERNEL32 ref: 00E54D95
CloseHandle.KERNEL32(?,?,?,00E54EBE,?,?,00E54D2C,00000000), ref: 00E54DBD
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,00E54EBE,?,?,00E54D2C,00000000), ref: 00E54DD3

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: fa1c2380381cfc5795960469db52b3820b752242a686c93fdbb5c080b3c76129
Instruction ID: 200379179835fb4e2f78de7b5dc311c74af2960d9856100c3261697f11340b3f
Opcode Fuzzy Hash: fa1c2380381cfc5795960469db52b3820b752242a686c93fdbb5c080b3c76129
Instruction Fuzzy Hash: 69F03AB05006016BCB255B35C848A5A3AA9AF4036EF599F14FD29F25E1D720DCC98790

Uniqueness

Uniqueness Score: -1.00%

Function 00E14040 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00E16680: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,00E016A1,TMSetupWindow,?,00000200,?,?,?,?,00E75578,000000FF), ref: 00E1669A

__fread_nolock.LIBCMT ref: 00E140E0

Strings

c:\rhub2\pcsetup\pcsetup.cpp, xrefs: 00E14072

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide__fread_nolock
String ID: c:\rhub2\pcsetup\pcsetup.cpp
API String ID: 3992567027-158182345
Opcode ID: 9ab7083b22afa4722539bda65e3c6b927f8c0650307a896f9e8d24ac3ce12047
Instruction ID: 4d9f02ac2744357211e11b6daa9229e9f533f18f4f3b404f6bb8587d43903cfe
Opcode Fuzzy Hash: 9ab7083b22afa4722539bda65e3c6b927f8c0650307a896f9e8d24ac3ce12047
Instruction Fuzzy Hash: 6F1172F26043106BD720EB24DC82FDAB3D8AF99701F515829F744B7281E774544587A6

Uniqueness

Uniqueness Score: -1.00%

Function 00E26D36 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__snprintf_s.LIBCMT ref: 00E26D78

Part of subcall function 00E24FEC: __vsnwprintf_s_l.LEGACY_STDIO_DEFINITIONS ref: 00E25001

Strings

LOC, xrefs: 00E26D5B

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: __snprintf_s__vsnwprintf_s_l
String ID: LOC
API String ID: 3877413697-519433814
Opcode ID: 72ef61d20eae3fae72d43415dc8c08b7dc2b9204a176c82bf92eedaf82d3776a
Instruction ID: 0d24a8b5ecf92ec16bf3653ff6f7a2d8339af3a75e99488f0796bba81e171f1b
Opcode Fuzzy Hash: 72ef61d20eae3fae72d43415dc8c08b7dc2b9204a176c82bf92eedaf82d3776a
Instruction Fuzzy Hash: 0B117072701328BADB10BB74FC46BDE33A8BB45724F4026A1F505BB1D2EB30AD549760

Uniqueness

Uniqueness Score: -1.00%

Function 00E25F1E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E25F28

Part of subcall function 00E25951: __EH_prolog3.LIBCMT ref: 00E25958

Part of subcall function 00E2F894: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,?,00000108,00E265EA,?,?), ref: 00E2F8C7
Part of subcall function 00E2F894: GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 00E2F8D7
Part of subcall function 00E2F894: EncodePointer.KERNEL32(00000000,?,?,?,00000108,00E265EA,?,?), ref: 00E2F8E0

Strings

y, xrefs: 00E25F7A

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressEncodeH_prolog3H_prolog3_HandleModulePointerProc
String ID: y
API String ID: 2515442129-4225443349
Opcode ID: 89b6f93147aafd883489329966dbff24d9abe22bd7bb105255f97eff5498defb
Instruction ID: c14b7cfe48407d94ba37580801f79c9ad1ba208660ef50f88b854d0705769ecf
Opcode Fuzzy Hash: 89b6f93147aafd883489329966dbff24d9abe22bd7bb105255f97eff5498defb
Instruction Fuzzy Hash: CF218E72D055389BDB35EB60DE42BDDB3B8AF25320F1052D4E68476281DBB09EC48F90

Uniqueness

Uniqueness Score: -1.00%

Function 00E13C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,904898A6), ref: 00E13C97

Part of subcall function 00E16610: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000,?,00003829,?,?,00E017B0,?,00000000,00001000), ref: 00E16644
Part of subcall function 00E16610: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,00E017B0,?,00000000,00001000,?,?), ref: 00E16661

Strings

SYSTEM, xrefs: 00E13CDB

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$NameUser
String ID: SYSTEM
API String ID: 3721927898-968218125
Opcode ID: 45c02d13a65118c0cc7ec87d0be5008c220be628953efa988f337cbe5b79c49e
Instruction ID: fd1e421ae59efadb4d3aee556ebc0af5521d7c2dd8de56f795c4d6fe41f093ec
Opcode Fuzzy Hash: 45c02d13a65118c0cc7ec87d0be5008c220be628953efa988f337cbe5b79c49e
Instruction Fuzzy Hash: 381129B55083405ACB21DF30D896AEB7BEEAF96304F445819D4C5E7142EB37D64CC791

Uniqueness

Uniqueness Score: -1.00%

Function 00E1D5BE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CreateActCtxWWorker.KERNEL32(?,00E1D8C1,00000020), ref: 00E1D5FC

Part of subcall function 00E1D70D: GetProcAddress.KERNEL32(00000000,O), ref: 00E1D73B

Strings

CreateActCtxW, xrefs: 00E1D5CC

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressCreateProcWorker
String ID: CreateActCtxW
API String ID: 1321444865-1163823230
Opcode ID: 318270073b1070af5ea85d743001340173875a018b661a699c6b160e8320771b
Instruction ID: 93e86ce0216887baf14a4019daf249738a2250856e3dce43c6a5a74d35fdd47a
Opcode Fuzzy Hash: 318270073b1070af5ea85d743001340173875a018b661a699c6b160e8320771b
Instruction Fuzzy Hash: 9FE08631A58738AB46322B555C018D97A199B16BB53021212F8197B6E0CA60AC84C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00E21F58 Relevance: 3.4, APIs: 2, Instructions: 419COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E21F62

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 9fde6f490cc3563719b5885168da24d83d06867adeed9e3ebe81a8ad4ec4ec62
Instruction ID: c53e1cc16420233d8c63cba31bd48d5c053e93dd9f8285da557fd3892cd49203
Opcode Fuzzy Hash: 9fde6f490cc3563719b5885168da24d83d06867adeed9e3ebe81a8ad4ec4ec62
Instruction Fuzzy Hash: DFF17A71A00229EFDF18DF64D880AAE77B5BF48314F14556DEA16BB292CB349D41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E54EBF Relevance: 3.1, APIs: 2, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087cc973212cb0434a4738f5a436c782a63363d12caa1caacf8551cbf649e143
Instruction ID: 2c81eeafe253f650c0e67ff305ef3dfd6bcd4333ab086b691a641e130022ea23
Opcode Fuzzy Hash: 087cc973212cb0434a4738f5a436c782a63363d12caa1caacf8551cbf649e143
Instruction Fuzzy Hash: 9221F7719052087BEB106B68EC41FAE37A9EF41339F102711FD283B2C1DB705D4996B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E60041 Relevance: 3.1, APIs: 2, Instructions: 77fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,?,00E0EC8E,00E0EC8E,?,00E60582,00E4F84C,00E0EC8E,00E0EC8E,?,004BEC50,00E0EC8E), ref: 00E600DC
GetLastError.KERNEL32(?,00E60582,00E4F84C,00E0EC8E,00E0EC8E,?,004BEC50,00E0EC8E,00E0EC8E,00E4F84C,00E0EC8E,004BEC50,?,?,00E4F8DE,?), ref: 00E60105

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 0b1c9bdc70714c18b9693ca26110de5d9ffd90a275d8f42b54993b315fccf300
Instruction ID: d5c86af5bbc8fc81e6226ddeb28539f6ca00e790f0c5e5e862b1e072bf87d095
Opcode Fuzzy Hash: 0b1c9bdc70714c18b9693ca26110de5d9ffd90a275d8f42b54993b315fccf300
Instruction Fuzzy Hash: AC21A6756002199FCB14CF59DC80BEAB3F8FB49351F1054A9E546E7251D770AE85CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00E2336C Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E23373

Part of subcall function 00E229B1: SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00E229EB
Part of subcall function 00E229B1: SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00E22A15
Part of subcall function 00E229B1: GetCapture.USER32 ref: 00E22A2B
Part of subcall function 00E229B1: SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 00E22A3A

WinHelpW.USER32(?,?,?,?), ref: 00E233B1

Part of subcall function 00E2D82F: __EH_prolog3.LIBCMT ref: 00E2D836

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$H_prolog3$CaptureHelp
String ID:
API String ID: 3232900797-0
Opcode ID: 4a3a81a4b79acea1b9ccd61335a43ad788e5c3333953384357f8a3afa05f0bd6
Instruction ID: e75fadf04a2c39f3993c63ae3baa8c23d3af2b5d25fe55bea6e42025b98b6d53
Opcode Fuzzy Hash: 4a3a81a4b79acea1b9ccd61335a43ad788e5c3333953384357f8a3afa05f0bd6
Instruction Fuzzy Hash: 50219D75600228BBCF05AF61DC06AED7BAAEF44320F049055FD15772A1DB359A90DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E1F386 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00E2D29E: __EH_prolog3.LIBCMT ref: 00E2D2A5

UnhookWindowsHookEx.USER32(?), ref: 00E1F3B0
DefWindowProcW.USER32(?,00000360,?,?,?,00000000,?,00E1DEA6,?,00E2B628,?,?,?,00E2B2A3,00000000), ref: 00E1F413

Part of subcall function 00E1ED31: __EH_prolog3_catch_GS.LIBCMT ref: 00E1ED38

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3H_prolog3_catch_HookProcUnhookWindowWindows
String ID:
API String ID: 2533299859-0
Opcode ID: a2c98341af50a541812dbb5561ed4a26e21edd262cd03541ed0048928619add8
Instruction ID: 554e13af2ab4c972d523720eadbef7811bcff6f08d3249b5476713a4aabbff58
Opcode Fuzzy Hash: a2c98341af50a541812dbb5561ed4a26e21edd262cd03541ed0048928619add8
Instruction Fuzzy Hash: 2C11C232405615EBDF22AF60AC08BEB3BA4BF04325F006835F92671062D734D9D0DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00E5D3EC Relevance: 3.1, APIs: 2, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f44611ecca9d47660a8f1e6acd2977a5360482cb74621c3dd1f7c6878825dc
Instruction ID: dcd0bc73f060c2cc27751f0658cd92d47e6f7c0693da65e1da5f4e247120dd3a
Opcode Fuzzy Hash: 27f44611ecca9d47660a8f1e6acd2977a5360482cb74621c3dd1f7c6878825dc
Instruction Fuzzy Hash: 6501F5377046119F9B25CE6AEC4495E33E6EBC53357289520FE11FB194DA30F809C640

Uniqueness

Uniqueness Score: -1.00%

Function 00E551A1 Relevance: 3.1, APIs: 2, Instructions: 55timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(00000000,?,?,?,?,00E550D5,?,?,00000000,00000000), ref: 00E551CF
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,00E550D5,?,?,00000000,00000000), ref: 00E551E3

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: af04f865326f2c6c2ebe49cc8678c9661c55041de4c165f792506b01e7c013d7
Instruction ID: 5091dd11d7d11820ce435a8599780ff093025b6f98d43a482d38011727708fc6
Opcode Fuzzy Hash: af04f865326f2c6c2ebe49cc8678c9661c55041de4c165f792506b01e7c013d7
Instruction Fuzzy Hash: 7C111C7690060CABDB00DFA5D944ADFB7BCAF08311F505666E916F2190EB30EA48CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E54CCE Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00E9D440,00000010), ref: 00E54CE1
ExitThread.KERNEL32 ref: 00E54CE8

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 23283bef3bd51d42d500c7a6d7de5690e744b245d98bbbffd67baf4a3a5c713f
Instruction ID: dddb86d39ecb4e9c73713f471785cd27f2a0c1c132d7ec04788688e038869619
Opcode Fuzzy Hash: 23283bef3bd51d42d500c7a6d7de5690e744b245d98bbbffd67baf4a3a5c713f
Instruction Fuzzy Hash: 85F0A4B0940214AFDB15AB70C84AAAD77B4FF44312F201849F805B7292CB345998DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E2048E Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00E204D3
CallWindowProcW.USER32(?,?,?,?,?), ref: 00E204DC

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: 71c9134277d0ae8f4a8829be8dc6e2c5685183b2e881bac03c21865600e86f0e
Instruction ID: 1db132d6aa555c34cc787f0d11d6319010eebe8c3feeeef10f84279c35e54cfe
Opcode Fuzzy Hash: 71c9134277d0ae8f4a8829be8dc6e2c5685183b2e881bac03c21865600e86f0e
Instruction Fuzzy Hash: 65F06D3620011AFFCF069FA5DC08DA9BB7AFF48311B048016FA18A2562D731D860EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E1F1EE Relevance: 3.0, APIs: 2, Instructions: 32threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2D29E: __EH_prolog3.LIBCMT ref: 00E2D2A5

GetCurrentThreadId.KERNEL32 ref: 00E1F216
SetWindowsHookExW.USER32(00000005,00E2359E,00000000,00000000), ref: 00E1F226

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CurrentH_prolog3HookThreadWindows
String ID:
API String ID: 841563119-0
Opcode ID: 1083135cffde51276f64174c5e90d5f48505dd156d386102db2d68a1c4bff857
Instruction ID: 20d72b2db846c21d0900599db2d03cb6c5edfc641a188e260109c0aeee15aa75
Opcode Fuzzy Hash: 1083135cffde51276f64174c5e90d5f48505dd156d386102db2d68a1c4bff857
Instruction Fuzzy Hash: 4AF02E755407159FD3306B926C05B9677E8EF85B11F102039F60575561DA30D881C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2B100 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00E2B10E
SetWindowTextW.USER32(?,000003E8), ref: 00E2B12A

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Window$Text
String ID:
API String ID: 848690642-0
Opcode ID: c38ffd74a45fb162628a38c2b29fb283593fce33144b9b357b6f17e7b1c44ee4
Instruction ID: 0716c34050bf595c619b3e2110389ca63c053f6669dd16d33a91228dad2cc656
Opcode Fuzzy Hash: c38ffd74a45fb162628a38c2b29fb283593fce33144b9b357b6f17e7b1c44ee4
Instruction Fuzzy Hash: 72F027326016258FCB329F21EC1892ABBB5FF44B51B041029E549B3221EF31AC20DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E297CE Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E297D5
BeginPaint.USER32(?,?,00000004,00E02671,?,00000088), ref: 00E29801

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: BeginH_prolog3Paint
String ID:
API String ID: 697162482-0
Opcode ID: cf83227517ea8cbe0498aeb5e8be3e56f82ece41f3e56200417e587fd4cda695
Instruction ID: 68ef74b58d4a02891706acdd90725f2f382b913c36b6b6961f44e01021a7db61
Opcode Fuzzy Hash: cf83227517ea8cbe0498aeb5e8be3e56f82ece41f3e56200417e587fd4cda695
Instruction Fuzzy Hash: 23F0FEF0A017159FC764DF78E501A5A7AE4AF48700B00A92DF5ADE7741E730D940CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00E25179 Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E2518C
SetWindowsHookExW.USER32(000000FF,Function_00025834,00000000,00000000), ref: 00E2519C

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 1886f2338617e1a660557355305985dadb1fda2f4acdb98e559a0ebd20046651
Instruction ID: 9de8e43cac8e5b8ff764b2ddd3c107dcc30524fbcf1f06807f2733d201a6029f
Opcode Fuzzy Hash: 1886f2338617e1a660557355305985dadb1fda2f4acdb98e559a0ebd20046651
Instruction Fuzzy Hash: CCD0A732C49B603EEF20AB707C0DB593AA49F01324F041354F420791E2D67084C2CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E56FBE Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e35e109573b083247c3283fe904b6db35e320a111c9956abdfe383872c3be30
Instruction ID: 56e92949f9d069de509ce2654bf31bff63dddeddaae2a17f43720f04af1599c3
Opcode Fuzzy Hash: 7e35e109573b083247c3283fe904b6db35e320a111c9956abdfe383872c3be30
Instruction Fuzzy Hash: B4412970A08104AFDB10CF58DC41AAA7BF1EF85365F289568FC88BB391D2319D5AC790

Uniqueness

Uniqueness Score: -1.00%

Function 00E02B48 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

Part of subcall function 00E16680: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,00E016A1,TMSetupWindow,?,00000200,?,?,?,?,00E75578,000000FF), ref: 00E1669A

Part of subcall function 00E2A72B: GetDlgItem.USER32(?,?), ref: 00E2A73C

Part of subcall function 00E2B152: ShowWindow.USER32(?,000003E8,?,?,00E027E3,000003E8,00000005), ref: 00E2B163

Part of subcall function 00E2AE75: MoveWindow.USER32(?,?,?,?,?,?,?,?,00E023E7,?,?,?,?,?), ref: 00E2AE92

Part of subcall function 00E2B100: IsWindow.USER32(?), ref: 00E2B10E
Part of subcall function 00E2B100: SetWindowTextW.USER32(?,000003E8), ref: 00E2B12A

InvalidateRect.USER32(?,00000000,00000001,000003EC,000003EC,?,000003EC,00000000,00000000,?,00000000,00000001,000003F1,00000000,000003F0,00000000), ref: 00E02CDC

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Window$ByteCharInvalidateItemMoveMultiRectShowTextWide
String ID:
API String ID: 2459327819-0
Opcode ID: e268abb0f38f367255f77b6afdc50f2b31a5b1ad50ba703d7160a2468697e187
Instruction ID: e8c124a51deccf73046a40abea854c73e712b2e61f3d929077c86ffa302d7daf
Opcode Fuzzy Hash: e268abb0f38f367255f77b6afdc50f2b31a5b1ad50ba703d7160a2468697e187
Instruction Fuzzy Hash: 9A4127717006282BEA06B3316C92E7F63EEAF84740F046639B346BB2D2EF645D814755

Uniqueness

Uniqueness Score: -1.00%

Function 00E1ED31 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00E1ED38

Part of subcall function 00E2D29E: __EH_prolog3.LIBCMT ref: 00E2D2A5

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3H_prolog3_catch_
String ID:
API String ID: 863784098-0
Opcode ID: 2b64f5be92f74d596fb210e9c79f3aaef5267fcdffc14bf55bcdf982b29a668a
Instruction ID: 07925a770014446f71df78241add67cf3a34f432a1be1d3786200c3132b50db1
Opcode Fuzzy Hash: 2b64f5be92f74d596fb210e9c79f3aaef5267fcdffc14bf55bcdf982b29a668a
Instruction Fuzzy Hash: 8631E276E00219DBCF05DFA9D8819DEBBB5BF88310F14546AEA11BB351C770A985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E26C37 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00E2F81B: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00E26C60,00E25FB2,00000003,?,00000004,00000000,00E25FB2), ref: 00E2F82D
Part of subcall function 00E2F81B: GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00E2F83D
Part of subcall function 00E2F81B: EncodePointer.KERNEL32(00000000,?,00E26C60,00E25FB2,00000003,?,00000004,00000000,00E25FB2), ref: 00E2F846
Part of subcall function 00E2F81B: GetLocaleInfoEx.KERNEL32(?,00E26C60,00E25FB2,00000003,?,00000004,00000000,00E25FB2), ref: 00E2F874

__snprintf_s.LIBCMT ref: 00E26C94

Part of subcall function 00E24FEC: __vsnwprintf_s_l.LEGACY_STDIO_DEFINITIONS ref: 00E25001

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressEncodeHandleInfoLocaleModulePointerProc__snprintf_s__vsnwprintf_s_l
String ID:
API String ID: 1585518483-0
Opcode ID: 152f28b9e1476c70caa71e5b1109547e68a791728fb6a34fd4edaacec6804104
Instruction ID: ef1afe964070d0aaef0876e44e93cf35e23133bce40c9a7aa5304708fffb09c1
Opcode Fuzzy Hash: 152f28b9e1476c70caa71e5b1109547e68a791728fb6a34fd4edaacec6804104
Instruction Fuzzy Hash: 24117271A10228ABDB14BB64ED57FDE73E8FB04714F041195F511B71D2EA34AA048760

Uniqueness

Uniqueness Score: -1.00%

Function 00E4E31D Relevance: 1.6, APIs: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof.LIBCMT ref: 00E4E35F

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: __cftof
String ID:
API String ID: 1622813385-0
Opcode ID: 0f3f70081d1b00d8696b4bd126fef16f4e87e397386ddcdf862d1c643b9a349d
Instruction ID: 35a9b4f128161de9818a65465c262b321d173ab769b484fc0081bf0692be9ac5
Opcode Fuzzy Hash: 0f3f70081d1b00d8696b4bd126fef16f4e87e397386ddcdf862d1c643b9a349d
Instruction Fuzzy Hash: 76216F715007099ED721DF51D981ABBB7F8FB04314B501A2AE552A7651EB30F945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E2BA85 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E2BAC1

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Parent
String ID:
API String ID: 975332729-0
Opcode ID: 427a727a25649ca603b18e144f35af56b4a167495f92dd675fd6b6c29988290a
Instruction ID: 92469d07aca41fb18ebad1bf4634c4051853739633bdcc5a301032d1a7c64d1c
Opcode Fuzzy Hash: 427a727a25649ca603b18e144f35af56b4a167495f92dd675fd6b6c29988290a
Instruction Fuzzy Hash: 7E11903160022AABCF109F66ED44DAB7BBDEF84354B045429FC02B3266DB31DC10DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E26420 Relevance: 1.6, APIs: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 00E26441

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6f5a35e0f3d17d134815013f3a7c165a9ec989cc986c13f8f859c50f6555e6dd
Instruction ID: 9456191e53030172cfe0c860a415ce7978bb1229ac0d17a1d1d60d1b6e2a974a
Opcode Fuzzy Hash: 6f5a35e0f3d17d134815013f3a7c165a9ec989cc986c13f8f859c50f6555e6dd
Instruction Fuzzy Hash: 9911B235700625AFCB08AF66EC4486DBBA9FF89321704413AF959E7311DB30AC108F90

Uniqueness

Uniqueness Score: -1.00%

Function 00E20526 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,?,00E2C1BA,904898A6,?,00000000,00E75970,000000FF,?,00E0210F,?,00E021C9), ref: 00E2056B

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c316031a15d809fe2871827efeed4e5d8a19b57343794f870e80a5f45f1a6862
Instruction ID: 9908b0c402af0656079083f8c331320afcf4d84ddcb30689a6687abdde5e777f
Opcode Fuzzy Hash: c316031a15d809fe2871827efeed4e5d8a19b57343794f870e80a5f45f1a6862
Instruction Fuzzy Hash: 4C11E5363405369B8B25DB25F80096ABBE9FF847657151026ED04F3792DB20ED41DFC0

Uniqueness

Uniqueness Score: -1.00%

Function 00E264C7 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E264CE

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 6fa60ec1eea4f849b0a4b2f099bf50cf5e57f12348e3654fb61cf6462fca4144
Instruction ID: 2396762f5102b97175a47255b52fa8062c6e634cb5de824efca11211fae683e0
Opcode Fuzzy Hash: 6fa60ec1eea4f849b0a4b2f099bf50cf5e57f12348e3654fb61cf6462fca4144
Instruction Fuzzy Hash: BF112C35B106258FCF08EF65985476C37A5BF49711F0514AAE80ABB396CF34AC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E1D39C Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00E2A765: GetDlgItem.USER32(00000000,?), ref: 00E2A776

Part of subcall function 00E23173: SetWindowLongW.USER32(00000000,000000FC,00E1F3D3), ref: 00E231B7

GetParent.USER32(00000000), ref: 00E1D409

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ItemLongParentWindow
String ID:
API String ID: 869538736-0
Opcode ID: 668c0b1cc8335bc1e5acbdf9e086f4b2932025e832b130f239efcd2e80753d73
Instruction ID: 9d548e333461c0a52315aa4070d5d8b8969a378d104af9978544a7093e1e1bb9
Opcode Fuzzy Hash: 668c0b1cc8335bc1e5acbdf9e086f4b2932025e832b130f239efcd2e80753d73
Instruction Fuzzy Hash: 10118E31300119ABCF10AF21DD01AAEB7AABF94714F04A028F82AB2551EB30FE51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E5F5CF Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00E5F60D

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d1d37627c6de93388be355cad8a94492baad7960fbb02d902057998029954ed1
Instruction ID: 009677484510601564bceceb97c24a3795472d2b0afcede38492f55ef756cf35
Opcode Fuzzy Hash: d1d37627c6de93388be355cad8a94492baad7960fbb02d902057998029954ed1
Instruction Fuzzy Hash: 0E1106B190410AAFCF05DF58E94199A7BF9EF48315F1044A9FC08AB211D631EA158BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E4F816 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4ffa6159747971b9d251a9f36a7f6700f78132360cb475c8dde5537a0a3df6
Instruction ID: 81518da4ed2fad51ef944083c77ccdd95d8a4873875847fc4b84a8cfb28d5a60
Opcode Fuzzy Hash: 7b4ffa6159747971b9d251a9f36a7f6700f78132360cb475c8dde5537a0a3df6
Instruction Fuzzy Hash: 09F02D32900B1056D639367AFC05B9A33D8DF56735F142B35F964B72D2CB70D50686E1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2D29E Relevance: 1.5, APIs: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E2D2A5

Part of subcall function 00E2CDBB: TlsAlloc.KERNEL32(?,00E2D2D1,00000004,00E1DDEC,00E1DEA6,00E25C04,904898A6), ref: 00E2CDDA
Part of subcall function 00E2CDBB: InitializeCriticalSection.KERNEL32(00EAF7E4,?,00E2D2D1,00000004,00E1DDEC,00E1DEA6,00E25C04,904898A6), ref: 00E2CDEB

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AllocCriticalH_prolog3InitializeSection
String ID:
API String ID: 2369468792-0
Opcode ID: 254da8b090a4eb46f0bc6a5dfde2b077c8dc2e4bcec748e0a65af1b40859c2c8
Instruction ID: bb69be915edba6cf3370360f04f9ab02141f7f486d9f5d549e44ad26f6e53bdb
Opcode Fuzzy Hash: 254da8b090a4eb46f0bc6a5dfde2b077c8dc2e4bcec748e0a65af1b40859c2c8
Instruction Fuzzy Hash: 0D015E70A142269BDB24EFB5EC0565D3AE4EF04354B106139FA91FB291DB30DD40CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E61FBE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00E5DEBD: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E1D9AD,?,?,?,?,00E013BB,?), ref: 00E5DEEF

_free.LIBCMT ref: 00E61FDE

Part of subcall function 00E5D0F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00E5B4AC,?,?), ref: 00E5D10B
Part of subcall function 00E5D0F5: GetLastError.KERNEL32(?,?,00E5B4AC,?,?), ref: 00E5D11D

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: bef16a4f3639cc9212fcd3d4d8a6f2f8b5e028ab84505a114cfea6b337d66911
Instruction ID: da8edc5ca64c6a734f6394e80f35995dfa575b74a9bf1723818a7a5e2c2e4562
Opcode Fuzzy Hash: bef16a4f3639cc9212fcd3d4d8a6f2f8b5e028ab84505a114cfea6b337d66911
Instruction Fuzzy Hash: CCF062710057048FE3349F00D845753B7F8EB04715F10882EE69AABA91CBB4F448CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00E2BE60 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CreateDialogIndirectParamW.USER32(?,?,?,?,?), ref: 00E2BEA6

Part of subcall function 00E1D692: OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,?,?,00E24F6F,?,00E9AA90,00000010,00E1F325,?), ref: 00E1D6A6

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CreateDebugDialogIndirectOutputParamString
String ID:
API String ID: 3066322445-0
Opcode ID: e6d07e52935988ccbbdc7b63ba99025f6bd669de712f9c80400ace1b30a8b51d
Instruction ID: a67c4a8d6279f336433a6dfd1a831b47c5f2e91bb921bc274efb27556ea8f139
Opcode Fuzzy Hash: e6d07e52935988ccbbdc7b63ba99025f6bd669de712f9c80400ace1b30a8b51d
Instruction Fuzzy Hash: 4501647290421DEFDF149FA4EC05BED77B0FB48326F01912AE612B2191C3B98998DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E24DD9 Relevance: 1.5, APIs: 1, Instructions: 32libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00E9AA50,00000010,00E1FE13,?,00000000,00000800,?,00000000), ref: 00E24E19

Part of subcall function 00E1D692: OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,?,?,00E24F6F,?,00E9AA90,00000010,00E1F325,?), ref: 00E1D6A6

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: DebugLibraryLoadOutputString
String ID:
API String ID: 137895185-0
Opcode ID: c2fe9415486422fe3534f9df39ac770db631bf74ea919b249908f061c727f1eb
Instruction ID: 492a5bc4a55b02817666b0fd862f4897d045cde75acf81460fb464d622dcceef
Opcode Fuzzy Hash: c2fe9415486422fe3534f9df39ac770db631bf74ea919b249908f061c727f1eb
Instruction Fuzzy Hash: 2BF0AFB2904318DFEF149F90EC05BAC77B0FB08325F006119E422B65D1C7B88944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E23219 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00E23220

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 9be9dff370c677c169dbee0b302fc99e2a705dc3d080668c5b28f9a091f397ef
Instruction ID: 3ded4b535dce3066f96461d68c20c411c979445caa4d554efd42087a0748787c
Opcode Fuzzy Hash: 9be9dff370c677c169dbee0b302fc99e2a705dc3d080668c5b28f9a091f397ef
Instruction Fuzzy Hash: 4701EFB5E116199BCB04DFA5D481BEDB7F0BF18302F10912AE80AB7381CB746A40CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00E5DEBD Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00E1D9AD,?,?,?,?,00E013BB,?), ref: 00E5DEEF

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2ed8182f331214b71dd8337c77fde3f4802c10b770f5dde98a0b22a574068448
Instruction ID: f9506edbcf7897e13edb5527f74974f9c2cc0ee8644c2cad42a6451f5bdf0a8e
Opcode Fuzzy Hash: 2ed8182f331214b71dd8337c77fde3f4802c10b770f5dde98a0b22a574068448
Instruction Fuzzy Hash: A8E02B3191D21266DA3136369C0275B768CEF923B7F042D24EC49BB5D1DF20CC0882A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A72B Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00E2A73C

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Item
String ID:
API String ID: 3207170592-0
Opcode ID: e61e3fecb8f2d6ce0ebad7d65a48e986b60d76fc70cebc1466483129ccb27ca8
Instruction ID: 6cc7452f831699c813def59c9fcecc0e5c0a212c2231af0a949f4a1cd91cd042
Opcode Fuzzy Hash: e61e3fecb8f2d6ce0ebad7d65a48e986b60d76fc70cebc1466483129ccb27ca8
Instruction Fuzzy Hash: 94E04836200118AB8B015F55E84495D7F7AFFD4762314402AF905A7222DB31D852DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00E2B152 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,000003E8,?,?,00E027E3,000003E8,00000005), ref: 00E2B163

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 33b76cf4bf17980b48da073ad94a4e10c881cd143b6d46e65928990c55b22c04
Instruction ID: 6ce5adc9b79d1a47952261d023435b77a4d7a77479c636ae4340339b7d64c69a
Opcode Fuzzy Hash: 33b76cf4bf17980b48da073ad94a4e10c881cd143b6d46e65928990c55b22c04
Instruction Fuzzy Hash: ADE04836300118AFCA019F55D8149A97F79FF853A17140065E90957221C7319861DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2B935 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 00E2B96A

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Dialog
String ID:
API String ID: 1120787796-0
Opcode ID: 8d42ebeb6da00db8a7dcff07c9b919a73306307d0c50de5d015c3b5e8a2e1c84
Instruction ID: 8d3c0ea144ea2089821285e168457c76a88f4cb4094ab52d848296db519e5e58
Opcode Fuzzy Hash: 8d42ebeb6da00db8a7dcff07c9b919a73306307d0c50de5d015c3b5e8a2e1c84
Instruction Fuzzy Hash: 47E04835200619EBCB059F56D808EDDBF79FF85361F044026E94857761DB715864DFD0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2608D Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,00000006,?,00E26630,00000000,?,?,?,?,00E3E83A,00000000,?,?,00000000,00000004), ref: 00E260A0

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: 2a036ccff5ca44ee1ef623adf0f625238f041c11e528207cd07dd2fcc128d6a7
Instruction ID: 8d2d094522eded73c44c6bdd4e42517154ac3dcb3e9c2849564dd4bec603f090
Opcode Fuzzy Hash: 2a036ccff5ca44ee1ef623adf0f625238f041c11e528207cd07dd2fcc128d6a7
Instruction Fuzzy Hash: C0D0177120015CBBEF012E45FC01DBA3B9DEB80658F008160FD0C98171E632DDA1AA50

Uniqueness

Uniqueness Score: -1.00%

Function 00E03CDE Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00E03CE6

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 0c3ba8e91f490fdded7f73099df23ba510333bc2dbb1b58dc716303fdb1a1afa
Instruction ID: abd0ddff56499c0dcc4a979e5447aa20f90738f5df30a4f5de23f29ae972f7ce
Opcode Fuzzy Hash: 0c3ba8e91f490fdded7f73099df23ba510333bc2dbb1b58dc716303fdb1a1afa
Instruction Fuzzy Hash: DDE086312417205BF72917348C2BBAA7590FB08715F101A3DF25BEB2D2EAB428404744

Uniqueness

Uniqueness Score: -1.00%

Function 00E2082A Relevance: 1.5, APIs: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00E20848

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5dbc481f08c9962be9fe25729d5972cc3960dd7fe733ad34fb66ad25225369fa
Instruction ID: 705a82a96fdf579095916885d16f0030a1149dbb54c12799007b569f0fce5b6b
Opcode Fuzzy Hash: 5dbc481f08c9962be9fe25729d5972cc3960dd7fe733ad34fb66ad25225369fa
Instruction Fuzzy Hash: F0D067F2510208AFA704EF68DC4597637ADFB146287144269B858DA2A2E732EC52DA50

Uniqueness

Uniqueness Score: -1.00%

Function 00E5673C Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00E56759

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 12e72227cc6a2817515612e34c2b870032dace5127ccf49c801997517b50b6a1
Instruction ID: 291f86725aa9050d8bf65449992672e1b1f84cf373c1b20a02d98557a9a7b18e
Opcode Fuzzy Hash: 12e72227cc6a2817515612e34c2b870032dace5127ccf49c801997517b50b6a1
Instruction Fuzzy Hash: 62D06C3200010DBFDF028F85DC06EDA3BAAFB48714F018000BA1C66061C732E861AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E4E9AC Relevance: 1.5, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E4E9BF

Part of subcall function 00E5D0F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00E5B4AC,?,?), ref: 00E5D10B
Part of subcall function 00E5D0F5: GetLastError.KERNEL32(?,?,00E5B4AC,?,?), ref: 00E5D11D

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 432ba72ec766bbaa9b01fb95f8e39ff391bf78a0cb1e7f168574295de3ab8502
Instruction ID: c97ec3bc97c5af0c5d0a64baef918008c9a0e709b596986f56911153325fb038
Opcode Fuzzy Hash: 432ba72ec766bbaa9b01fb95f8e39ff391bf78a0cb1e7f168574295de3ab8502
Instruction Fuzzy Hash: 5CC08C3140820CFBCB20DF89EC0AA5EBBB9DB80320F200188FC0C17240DE72AE1196C0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E172E0 Relevance: 56.4, APIs: 8, Strings: 24, Instructions: 448COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00E17323
GetVersionExW.KERNEL32(0000011C), ref: 00E1733A

Strings

LANMANNT, xrefs: 00E17663
A, xrefs: 00E177FA
Microsoft Windows Me , xrefs: 00E1786A
Professional , xrefs: 00E174F2, 00E1763A
WINNT, xrefs: 00E1761F
Microsoft Windows 98 , xrefs: 00E17800
Advanced Server , xrefs: 00E1757E, 00E176AA
OSR2 , xrefs: 00E177CC
version %d.%d %s (Build %d), xrefs: 00E176F2
Microsoft Windows XP , xrefs: 00E1742D
Server , xrefs: 00E175BA, 00E1767B
SE , xrefs: 00E17840
Microsoft Windows NT , xrefs: 00E1739A
Personal , xrefs: 00E174CA
SERVERNT, xrefs: 00E17692
Microsoft Windows 2000 , xrefs: 00E173EA
Microsoft Win32s , xrefs: 00E178AD
Microsoft Windows Vista , xrefs: 00E17490
Windows Server 2003 family , xrefs: 00E17475
Microsoft Windows 95 , xrefs: 00E1777A
%s (Build %d), xrefs: 00E17702
DataCenter Server , xrefs: 00E1753A
ProductType, xrefs: 00E175F8
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 00E175D7

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Version
String ID: %s (Build %d)$A$Advanced Server $DataCenter Server $LANMANNT$Microsoft Win32s $Microsoft Windows 2000 $Microsoft Windows 95 $Microsoft Windows 98 $Microsoft Windows Me $Microsoft Windows NT $Microsoft Windows Vista $Microsoft Windows XP $OSR2 $Personal $ProductType$Professional $SE $SERVERNT$SYSTEM\CurrentControlSet\Control\ProductOptions$Server $WINNT$Windows Server 2003 family $version %d.%d %s (Build %d)
API String ID: 1889659487-2477365438
Opcode ID: 5b976ddde3ab5e5300d42897492e0bce3916d01149457b14a60ce084db98dc55
Instruction ID: 5422c1736405b26a921a5e6695875075c10a5414b7ba17058a5421d8d8a516b1
Opcode Fuzzy Hash: 5b976ddde3ab5e5300d42897492e0bce3916d01149457b14a60ce084db98dc55
Instruction Fuzzy Hash: DB1230785083418FCB14CF29D440AA5BBF1FB59708B2495AED89DAB352E733D98BCB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E13D20 Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 177COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00E13D59
OpenProcessToken.ADVAPI32(00000000), ref: 00E13D60
GetLastError.KERNEL32 ref: 00E13D6A

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

GetTokenInformation.ADVAPI32(?,00000002,00000000,?,00000008,?,?), ref: 00E13DC5
GetLastError.KERNEL32(?,?), ref: 00E13DD1

Strings

The group SID is enabled., xrefs: 00E13ED8
GetTokenInformation Error %u, xrefs: 00E13DD9, 00E13E3E
AllocateAndInitializeSid Error %u, xrefs: 00E13E76
c:\rhub2\code\utility\utility.cpp, xrefs: 00E13D7B, 00E13DE3, 00E13E80, 00E13EE2, 00E13F17
The group SID is a deny-only SID., xrefs: 00E13F01
The group SID is not enabled., xrefs: 00E13F0D
OpenProcessToken Error %u, xrefs: 00E13D71
Utility::IsUserAdmin(), xrefs: 00E13D82, 00E13DEA, 00E13E87, 00E13EE9, 00E13F1E

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalErrorLastProcessSectionToken$CurrentEnterInformationLeaveOpen
String ID: AllocateAndInitializeSid Error %u$GetTokenInformation Error %u$OpenProcessToken Error %u$The group SID is a deny-only SID.$The group SID is enabled.$The group SID is not enabled.$Utility::IsUserAdmin()$c:\rhub2\code\utility\utility.cpp
API String ID: 2828058356-2557394127
Opcode ID: 99072452a8972b09b1ced266d3f6eb7c2fd8a886756ad2607e621ad698617cd0
Instruction ID: 8711433ec8db3cf73904207c577262540106d87f7dfdca6edf39169f625a4633
Opcode Fuzzy Hash: 99072452a8972b09b1ced266d3f6eb7c2fd8a886756ad2607e621ad698617cd0
Instruction Fuzzy Hash: 9751F971744304BFEB20AF21DC06FEB77E8AF48704F405429FA48B61E2D6B19989CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E18060 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 126stringfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000206), ref: 00E180B6
lstrcpyW.KERNEL32(?,Unknown), ref: 00E180D0
lstrcpyW.KERNEL32(?,00000000), ref: 00E180EA
lstrcpyW.KERNEL32(00000000,ERRORLOG.TXT), ref: 00E1810D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,80000080,00000000), ref: 00E18126
OutputDebugStringW.KERNEL32(Error creating exception report), ref: 00E18138
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00E1815F
CloseHandle.KERNEL32(00000000), ref: 00E18185
lstrcpyW.KERNEL32(00000000,CRASH.DMP), ref: 00E18191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,80000080,00000000), ref: 00E181AA
CloseHandle.KERNEL32(00000000), ref: 00E181C5
IsDebuggerPresent.KERNEL32 ref: 00E181CB

Strings

===== [end of %s] =====, xrefs: 00E18170
CRASH.DMP, xrefs: 00E1818B
ERRORLOG.TXT, xrefs: 00E18107, 00E1816B
Unknown, xrefs: 00E180C6
Error creating exception report, xrefs: 00E18133

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Filelstrcpy$CloseCreateHandle$DebugDebuggerModuleNameOutputPointerPresentString
String ID: ===== [end of %s] =====$CRASH.DMP$ERRORLOG.TXT$Error creating exception report$Unknown
API String ID: 2562258883-4078883516
Opcode ID: e3e09f131447fd99dd9d63a019f57c9f5949d89e1bde9432b02f0ea19a73c676
Instruction ID: 1ecf38069cf749bc4607f451026678fda48512b9d17a05e4d02d53e116c208ba
Opcode Fuzzy Hash: e3e09f131447fd99dd9d63a019f57c9f5949d89e1bde9432b02f0ea19a73c676
Instruction Fuzzy Hash: 304116B26443007BD620E731EC0AFDB73D8AF49714F045525FA49B21D2EE74A58887A6

Uniqueness

Uniqueness Score: -1.00%

Function 00E71660 Relevance: 18.0, APIs: 3, Strings: 7, Instructions: 481COMMON

Download Yara Rule

APIs

_strstr.LIBCMT ref: 00E716B7
_strstr.LIBCMT ref: 00E716CD
_strstr.LIBCMT ref: 00E71826

Strings

Do not cache this setting sByPass = %s, xrefs: 00E716DE
</__SERVER_ACCESS_SETTING1__>, xrefs: 00E71BB7
HR::AddCache, xrefs: 00E716EF, 00E7171C, 00E71CE7
c:\rhub2\code\hlib\hlib.cpp, xrefs: 00E716E8, 00E71715, 00E71CE0
<__SERVER_ACCESS_SETTING1__>, xrefs: 00E71BBC
Do not cache this setting sProxyAddress = %s, xrefs: 00E7170B
Too long: iByPassLength = %d, iProxyAddressLength = %d, iServerAccessSettingLength = %d, xrefs: 00E7180B, 00E71CD6

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _strstr
String ID: </__SERVER_ACCESS_SETTING1__>$<__SERVER_ACCESS_SETTING1__>$Do not cache this setting sByPass = %s$Do not cache this setting sProxyAddress = %s$HR::AddCache$Too long: iByPassLength = %d, iProxyAddressLength = %d, iServerAccessSettingLength = %d$c:\rhub2\code\hlib\hlib.cpp
API String ID: 2882301372-2211000319
Opcode ID: 33d3212909c989c4120618fb6d472ae06d244aa96b65780c28f0620fba966193
Instruction ID: 8d6e6cb61811b965ee81782157c121416cd2799de4d4f35db2b48508852b8db4
Opcode Fuzzy Hash: 33d3212909c989c4120618fb6d472ae06d244aa96b65780c28f0620fba966193
Instruction Fuzzy Hash: DD0234719003599BDF24DF28CC81BEABBB5AF55304F0891D8E84DBB282D7719E99CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E2E860 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 86COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E2E880

Strings

DWriteCreateFactory, xrefs: 00E2E902
D2D1MakeRotateMatrix, xrefs: 00E2E8DF
D2D1.dll, xrefs: 00E2E88D
DWrite.dll, xrefs: 00E2E8ED
D2D1CreateFactory, xrefs: 00E2E8A7

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID: D2D1.dll$D2D1CreateFactory$D2D1MakeRotateMatrix$DWrite.dll$DWriteCreateFactory
API String ID: 2538663250-1403614551
Opcode ID: cfa4e04487f3a69e68ee0ee823b1af62d14690290835550e4fe67daec1fcaf40
Instruction ID: bf968ee6297f4d5a5c7f451b5611d3534deafc687b3cd35a85dc727826c0731a
Opcode Fuzzy Hash: cfa4e04487f3a69e68ee0ee823b1af62d14690290835550e4fe67daec1fcaf40
Instruction Fuzzy Hash: 4021A171250725AFDB28AF72EC45B2676A8FF80755F04553EF54EB1290EB70E844CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E3C8D5 Relevance: 16.4, APIs: 8, Strings: 1, Instructions: 605COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E3C8DC
VariantClear.OLEAUT32(?), ref: 00E3CCAD

Part of subcall function 00E3E0E6: VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 00E3E103

VariantClear.OLEAUT32(?), ref: 00E3CCCD
VariantClear.OLEAUT32(?), ref: 00E3CE68
VariantClear.OLEAUT32(?), ref: 00E3CE76

Strings

0, xrefs: 00E3CE7F

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$ChangeH_prolog3Type
String ID: 0
API String ID: 3567832691-4108050209
Opcode ID: 6d5ce9460891511d033185ea73f46c3702c5d01c8c43f2607885a80299815d65
Instruction ID: d022292ab700b4d4fdc4adebfa9dd3b1a586a28b875d5c5b1c7b7e90859557a4
Opcode Fuzzy Hash: 6d5ce9460891511d033185ea73f46c3702c5d01c8c43f2607885a80299815d65
Instruction Fuzzy Hash: 45325F71A00619AFCB18DFA4D9899AEBBF9FF48304F209169E506F7291DB30ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E338A9 Relevance: 10.6, APIs: 7, Instructions: 132fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E338B3
PathIsUNCW.SHLWAPI(?,?,?,00000000), ref: 00E3395E
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00E33982
GetFullPathNameW.KERNEL32(?,00000104,?,?,00000268,00E33176,?,?,00000000), ref: 00E338E6

Part of subcall function 00E3387C: GetLastError.KERNEL32(?,?,00E33993,?,?), ref: 00E33887

Part of subcall function 00E331EF: PathStripToRootW.SHLWAPI(00000000), ref: 00E33223

CharUpperW.USER32(?), ref: 00E339B0
FindFirstFileW.KERNEL32(?,?), ref: 00E339C8
FindClose.KERNEL32(00000000), ref: 00E339D4

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Path$Find$CharCloseErrorFileFirstFullH_prolog3_InformationLastNameRootStripUpperVolume
String ID:
API String ID: 2323451338-0
Opcode ID: 7175fd31dbe93070b937c7099b9d03ff9e91845f0934eaed3a34e8bac4a1c086
Instruction ID: 6479a4dfadc9c5e58e2f0454324a3ca6f0fd6004f735be342463c4f92fea34f1
Opcode Fuzzy Hash: 7175fd31dbe93070b937c7099b9d03ff9e91845f0934eaed3a34e8bac4a1c086
Instruction Fuzzy Hash: B441A470504215AFDB24EB34CC8DFAEB7BCEF50314F101699B85AB2151EB759F84CA20

Uniqueness

Uniqueness Score: -1.00%

Function 00E68E8F Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1391COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00E69031

Strings

1#IND, xrefs: 00E6A1FF
1#SNAN, xrefs: 00E6A20F
1#INF, xrefs: 00E6A21D
1#QNAN, xrefs: 00E6A216

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 4eaca6427b3a7502c1db4b0dc57abb358c4361fd5b456b0a155529beec5f509b
Instruction ID: e09994bc4e4ff1959688108b65cf581e0b1bd26268b1c202090d859772c0a473
Opcode Fuzzy Hash: 4eaca6427b3a7502c1db4b0dc57abb358c4361fd5b456b0a155529beec5f509b
Instruction Fuzzy Hash: CDC25B71E482288FCB65CE28ED407E9B3B9EB84395F1451EAD80DF7241E775AE818F41

Uniqueness

Uniqueness Score: -1.00%

Function 00E6638D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00E666B2,?,00000000), ref: 00E66426
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00E666B2,?,00000000), ref: 00E6644F
GetACP.KERNEL32(?,?,00E666B2,?,00000000), ref: 00E66464

Strings

OCP, xrefs: 00E663E1
ACP, xrefs: 00E663AB

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 0a9db5f0d0be94cbff36a2c74a2c23070254e30e241c30326a7e80ef1e1e1cdd
Instruction ID: 3f986f37906cecbd9f4d47c57bddecfb6dcae58579cb39d5907ffaec7b76cf2b
Opcode Fuzzy Hash: 0a9db5f0d0be94cbff36a2c74a2c23070254e30e241c30326a7e80ef1e1e1cdd
Instruction Fuzzy Hash: AE21D8316E0115ABDB308F55E904AA773A6FF60B98B569025E81DF7211EB32DE40C350

Uniqueness

Uniqueness Score: -1.00%

Function 00E66567 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E5CE4E: GetLastError.KERNEL32(?,?,00E54CF3,00E9D440,00000010), ref: 00E5CE52
Part of subcall function 00E5CE4E: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E54CF3,00E9D440,00000010), ref: 00E5CEF6

Part of subcall function 00E5CE4E: _free.LIBCMT ref: 00E5CEA9

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00E66673
IsValidCodePage.KERNEL32(00000000), ref: 00E666CE
IsValidLocale.KERNEL32(?,00000001), ref: 00E666DD
GetLocaleInfoW.KERNEL32(?,00001001,00E5A6D2,00000040,?,00E5A7F2,00000055,00000000,?,?,00000055,00000000), ref: 00E66725
GetLocaleInfoW.KERNEL32(?,00001002,00E5A752,00000040), ref: 00E66744

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser_free
String ID:
API String ID: 1213562535-0
Opcode ID: 1bc35b01229753cb4fafd115ac49649a9fa455d67d4ab6f208d7d635679faf09
Instruction ID: a76f02c3d00c0f83132a838a4f72fac08620b7f129fa7e83b97e2f8b0d62842d
Opcode Fuzzy Hash: 1bc35b01229753cb4fafd115ac49649a9fa455d67d4ab6f208d7d635679faf09
Instruction Fuzzy Hash: A751D3B2A50206AFDF20DFA5FC45ABEB7B8EF04344F051429E805F7190EB719A048B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E65C29 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E5CE4E: GetLastError.KERNEL32(?,?,00E54CF3,00E9D440,00000010), ref: 00E5CE52
Part of subcall function 00E5CE4E: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E54CF3,00E9D440,00000010), ref: 00E5CEF6

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00E5A6D9,?,?,?,?,?,?,00000004), ref: 00E65D0B
_wcschr.LIBVCRUNTIME ref: 00E65D9B
_wcschr.LIBVCRUNTIME ref: 00E65DA9
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00E5A6D9,00000000,00E5A7F9), ref: 00E65E4C

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID:
API String ID: 4147378913-0
Opcode ID: dbc49de9f89237fa3a462ec4c42989fb38e67b18e95625f259c9c4e35457471d
Instruction ID: a0bb1a48b91014e50b6203b83c58e9b7e66b3355afa2a61d6e1e98bc024c92cc
Opcode Fuzzy Hash: dbc49de9f89237fa3a462ec4c42989fb38e67b18e95625f259c9c4e35457471d
Instruction Fuzzy Hash: E661E772740B06AAD724AB74EC46BBB73E8EF04794F24146AF915FB181EB70AD448760

Uniqueness

Uniqueness Score: -1.00%

Function 00E59389 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00E593B2
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 00E593CA
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,0000001C), ref: 00E59420
VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,0000001C), ref: 00E59435

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: dc3c705a46b39431e2a73f50c804b3e9b72a508445cfb22382ebad5cbcd4e6e8
Instruction ID: 4f015b64a797602bfac643ee869d91492266e4c3e9738b34bd3ccd6136d579b4
Opcode Fuzzy Hash: dc3c705a46b39431e2a73f50c804b3e9b72a508445cfb22382ebad5cbcd4e6e8
Instruction Fuzzy Hash: 8C218D72E00119EBCF20DBA59C89AEEB7F8EF44755F011425E919F7182EA309909CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E218C5 Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AB5A: GetWindowLongW.USER32(?,000000F0), ref: 00E2AB67

GetKeyState.USER32(00000010), ref: 00E218E2
GetKeyState.USER32(00000011), ref: 00E218EF
GetKeyState.USER32(00000012), ref: 00E218FC
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 00E21916

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 72d96618b812c0766d42b539751c0a1c779cb7beabfaf1592c83587225c9170b
Instruction ID: 4847aafa8fb6aba05e416cfbd764e8fe50a3fe8101b11c9abe233359f3fdc8a3
Opcode Fuzzy Hash: 72d96618b812c0766d42b539751c0a1c779cb7beabfaf1592c83587225c9170b
Instruction Fuzzy Hash: F7F052343402322FDA3077B0BC85BE82568DFA4B54F0028B8B286FE0C3CA9085C24462

Uniqueness

Uniqueness Score: -1.00%

Function 00E70620 Relevance: 5.4, Strings: 4, Instructions: 405COMMON

Download Yara Rule

Strings

@, xrefs: 00E70A1B
H, xrefs: 00E707FD
(I, xrefs: 00E70811
hI, xrefs: 00E707E6

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (I$@$hI$H
API String ID: 0-3252275086
Opcode ID: e367213836d088ff1eaca0ed4635a45703a4a11b128c293f131c374cacc3e48b
Instruction ID: 75897cc5eb16b37093274efec68be342051d3639d128f26caf8c7e86208ede7d
Opcode Fuzzy Hash: e367213836d088ff1eaca0ed4635a45703a4a11b128c293f131c374cacc3e48b
Instruction Fuzzy Hash: 31F15A75E00218CFDF28CFA8C4906ADBBB1FF99314F24916AD81AAB395E7319955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E66014 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00E5CE4E: GetLastError.KERNEL32(?,?,00E54CF3,00E9D440,00000010), ref: 00E5CE52
Part of subcall function 00E5CE4E: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E54CF3,00E9D440,00000010), ref: 00E5CEF6

Part of subcall function 00E5CE4E: _free.LIBCMT ref: 00E5CEA9

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E66068
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E660B9
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E66179

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale$ErrorLast$_free
String ID:
API String ID: 1690466582-0
Opcode ID: c5941b22727f2ffbac8b88a8b8390871a4c972b257c7c13bcc89ff55c8370d56
Instruction ID: c3fc9cf109f6d4f6ab483e97b61b320ef358186886a3ae1df7829854ae475239
Opcode Fuzzy Hash: c5941b22727f2ffbac8b88a8b8390871a4c972b257c7c13bcc89ff55c8370d56
Instruction Fuzzy Hash: C76104715A12079FDB289F24DC82BBA77A8EF05398F105079EC15E6196E734ED81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E4A64E Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00E4A746
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00E4A750
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00E4A75D

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8cfc9a2b4a959308e4ed37f4a1687b455d1ef180c898b3e2e16ce07c03ce0a2c
Instruction ID: c044304787552fec6d6b1c7a0c309bd65c858bed3d4a060ca41c1ff81997b5d6
Opcode Fuzzy Hash: 8cfc9a2b4a959308e4ed37f4a1687b455d1ef180c898b3e2e16ce07c03ce0a2c
Instruction Fuzzy Hash: DE31D57490121CABCB21DF24E889BDDB7B8AF18310F5051EAE80CA6291E7709B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 00E53B80 Relevance: 3.5, APIs: 2, Instructions: 467COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5dd68e2efac9364a7bf90a69f4571c0155ccf9e5fe11df5fc05dda589ce27e
Instruction ID: e0cf4fc6e84e79e9cb2f537d040557a059c0e1d0dfcf669bb0aacca42b74c309
Opcode Fuzzy Hash: cf5dd68e2efac9364a7bf90a69f4571c0155ccf9e5fe11df5fc05dda589ce27e
Instruction Fuzzy Hash: 17023B71E002199BDF14CFA9D8806ADF7F1EF48315F25456AD819F7384D731AE458B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E105F0 Relevance: 2.1, Strings: 1, Instructions: 837COMMON

Download Yara Rule

Strings

8, xrefs: 00E10667, 00E10933, 00E10BD3, 00E10E54

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-3897458245
Opcode ID: 037e50103ac00812a28b685706e477036ef1f3a5ced53f08e2c3ea187f530a37
Instruction ID: 82aa91b97c1e0567280cc531cfb80a0a6a93fc5adb9f043f12608abfb63b0a10
Opcode Fuzzy Hash: 037e50103ac00812a28b685706e477036ef1f3a5ced53f08e2c3ea187f530a37
Instruction Fuzzy Hash: 1F522A715083448FC725DF288880AEABBE5EF85314F14176DF4969B392D7B0DAC9CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E10FD0 Relevance: 2.1, Strings: 1, Instructions: 823COMMON

Download Yara Rule

Strings

8, xrefs: 00E11047, 00E11312, 00E115B1, 00E11832

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-3897458245
Opcode ID: c8992822a2781a9bf7e5b28340ca20810c84f490c0c9f3c61a580b06baeefbaf
Instruction ID: f4ba09cb8509e24a53d2c27aa823f26f7be7f65d490bca49fcf99169d765ad88
Opcode Fuzzy Hash: c8992822a2781a9bf7e5b28340ca20810c84f490c0c9f3c61a580b06baeefbaf
Instruction Fuzzy Hash: A85206715083488FC715CF2888C06EABBE5EF86314F1417ADF5A6AB392D774DA88C752

Uniqueness

Uniqueness Score: -1.00%

Function 00E5BA03 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?), ref: 00E5BC30

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6bed19b917ec8067592b0ff4a4b127bb64efedf24b87ac1dbc4db727ab88125f
Instruction ID: 20831aa1e50af2f85d2a1c88bf82d07b78093923109f3bec125e5d2f6337ab53
Opcode Fuzzy Hash: 6bed19b917ec8067592b0ff4a4b127bb64efedf24b87ac1dbc4db727ab88125f
Instruction Fuzzy Hash: 22B18F31110608CFD715CF28C48ABA5BBE0FF4536AF259A58EC9ADF2A1C735D985CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00E37463 Relevance: 1.7, APIs: 1, Instructions: 246COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(00000000), ref: 00E37530

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ece77007c9581083779902d739fe460f6d4ea74e3bc52f2624487fd4f074af93
Instruction ID: 5b63bbd03d4173da35e71861f24d1dc8a0c7c46e967291822e797ce8df2913fb
Opcode Fuzzy Hash: ece77007c9581083779902d739fe460f6d4ea74e3bc52f2624487fd4f074af93
Instruction Fuzzy Hash: E19170B1A00616AFD768CF68C985A99BBF4FF48314F045169E949EB741D770E8A0CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 00E63648 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f56f4cb73202f82a908439cbed38307861d278ab0b3426fda9996a7b3a61fa
Instruction ID: a37d07f65f30a115cbd7ac3e8e0daf7e93d9c0e218db30eb4928194c159ef1c7
Opcode Fuzzy Hash: 54f56f4cb73202f82a908439cbed38307861d278ab0b3426fda9996a7b3a61fa
Instruction Fuzzy Hash: 19312672900219BFCB24DFB9DC89DAF77BDEB85350F144168F905A7281EA30AE44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E66264 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00E5CE4E: GetLastError.KERNEL32(?,?,00E54CF3,00E9D440,00000010), ref: 00E5CE52
Part of subcall function 00E5CE4E: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E54CF3,00E9D440,00000010), ref: 00E5CEF6

Part of subcall function 00E5CE4E: _free.LIBCMT ref: 00E5CEA9

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E662B8

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: f212ff9578575ce5512b60e5a634092d3ab00225e7a76d69378c9c45d94ba0c2
Instruction ID: 12c5a186f71ecf028fea3355f11332b2aa06b0b5152f1aa15dd1c643e16a2018
Opcode Fuzzy Hash: f212ff9578575ce5512b60e5a634092d3ab00225e7a76d69378c9c45d94ba0c2
Instruction Fuzzy Hash: 3C21B3725A02069BDB249F25EC56BBA73ECEF85354F10117AED01E6291EB34AD44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E65EEC Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E5CE4E: GetLastError.KERNEL32(?,?,00E54CF3,00E9D440,00000010), ref: 00E5CE52
Part of subcall function 00E5CE4E: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E54CF3,00E9D440,00000010), ref: 00E5CEF6

EnumSystemLocalesW.KERNEL32(00E66014,00000001,00000000,?,00E5A6D2,?,00E66647,00000000,?,?,?), ref: 00E65F5E

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 3684f8ee9650a6d6cd5353a3b59ba804def4c10bb2cb9984a53a3bfeb7ee888d
Instruction ID: 2f19f72a8e26d8c1168fdae5a736afcd72ca51d2e91f311cf9c823d126da5211
Opcode Fuzzy Hash: 3684f8ee9650a6d6cd5353a3b59ba804def4c10bb2cb9984a53a3bfeb7ee888d
Instruction Fuzzy Hash: 6611E5373047059FDB189F39D8A55BAB7A1FF803ACB19442CEA869BA40D771B942C740

Uniqueness

Uniqueness Score: -1.00%

Function 00E66494 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00E5CE4E: GetLastError.KERNEL32(?,?,00E54CF3,00E9D440,00000010), ref: 00E5CE52
Part of subcall function 00E5CE4E: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E54CF3,00E9D440,00000010), ref: 00E5CEF6

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00E66232,00000000,00000000,?), ref: 00E664C0

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: f481c56872653f689e7a4e5e18c3ea593ffc5fdd1ac88f6f04623a45d11a8677
Instruction ID: c497b5537d0b88716bc370ad2b4267896a0c9ad699c197383e9c7493dd8fd135
Opcode Fuzzy Hash: f481c56872653f689e7a4e5e18c3ea593ffc5fdd1ac88f6f04623a45d11a8677
Instruction Fuzzy Hash: C0F0F932AA01167BDB249A25DC46ABA7798FB40399F151439ED19B3540EE30BE51C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00E65F87 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E5CE4E: GetLastError.KERNEL32(?,?,00E54CF3,00E9D440,00000010), ref: 00E5CE52
Part of subcall function 00E5CE4E: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E54CF3,00E9D440,00000010), ref: 00E5CEF6

EnumSystemLocalesW.KERNEL32(00E66264,00000001,000000FF,?,00E5A6D2,?,00E6660B,00E5A6D2,?,?,?,?,?,00E5A6D2,?,?), ref: 00E65FD3

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: bc77ae8741a5943c44e75cf9d36e19c70125691487ccbc60fd4a9ca41cc1bfc0
Instruction ID: 650d43679af5c998d52ebe6fb0663ee2c4087878fa01ee4e5c66cdd2a9db8656
Opcode Fuzzy Hash: bc77ae8741a5943c44e75cf9d36e19c70125691487ccbc60fd4a9ca41cc1bfc0
Instruction Fuzzy Hash: F9F022363447046FDB249F39AC91A7A7B94EF803ACF15842CF9059B690D7B1AC41CA40

Uniqueness

Uniqueness Score: -1.00%

Function 00E5D13C Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E5BF19: EnterCriticalSection.KERNEL32(?,?,00E5F777,?,00E9D780,0000000C), ref: 00E5BF28

EnumSystemLocalesW.KERNEL32(00E5D12F,00000001,00E9D6E0,0000000C,00E5D623,00000000,00000000), ref: 00E5D174

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 39ab9573cd1bd4588d9f71591d70bb20ad5d7dca7c98506b7a7d2dcbf31426fd
Instruction ID: eae831b0f8fffacb9bae00d9d81cd892f19610d5b859d9f4abec298e6744161c
Opcode Fuzzy Hash: 39ab9573cd1bd4588d9f71591d70bb20ad5d7dca7c98506b7a7d2dcbf31426fd
Instruction Fuzzy Hash: 8AF04972A10204AFEB14EF69ED0AB4E77F0EB09721F109615F810FB2E2CB7599588F40

Uniqueness

Uniqueness Score: -1.00%

Function 00E5D78F Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,?,?,?,00E5A76C,?,20001004,?,00000002,?), ref: 00E5D7CE

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 08cd79b9aa46ec0b5ca97a177c77f6a03cb2a686d92f03cad69268d5edf307df
Instruction ID: aa832eb5420303f951cf87fe0cbd5efc3fd34d1cc5837c237a6c7cc53c0fa298
Opcode Fuzzy Hash: 08cd79b9aa46ec0b5ca97a177c77f6a03cb2a686d92f03cad69268d5edf307df
Instruction Fuzzy Hash: 2AF0EC3060920CBFCB22AF61EC04AAE7BA5EF08712F01441AFC0576261CF318E24AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E65EA1 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E5CE4E: GetLastError.KERNEL32(?,?,00E54CF3,00E9D440,00000010), ref: 00E5CE52
Part of subcall function 00E5CE4E: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E54CF3,00E9D440,00000010), ref: 00E5CEF6

EnumSystemLocalesW.KERNEL32(00E65DF8,00000001,000000FF,?,?,00E66669,00E5A6D2,?,?,?,?,?,00E5A6D2,?,?,?), ref: 00E65ED8

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5d888f0ff279b4087c56933e3dadc82021610e5347e0fdca7ea96c21a06b6413
Instruction ID: ac376bfaedcc3010a563ef6da51e7e72326e72fa20b5b0059f7eaa7b91b4d182
Opcode Fuzzy Hash: 5d888f0ff279b4087c56933e3dadc82021610e5347e0fdca7ea96c21a06b6413
Instruction Fuzzy Hash: 7DF055373403055BCB04DF3AE849A6ABF90EFC27A4F460058EA09AB680C6329982C750

Uniqueness

Uniqueness Score: -1.00%

Function 00E22DF3 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00E22DFF

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 33f65a826ac81a5b167f844188c01bceaa88addf9db926195e8ff9bb899ccb4f
Instruction ID: 843946bd3df378794d6fbf514fa7318c59d08baaa6393e4b9071be7721770484
Opcode Fuzzy Hash: 33f65a826ac81a5b167f844188c01bceaa88addf9db926195e8ff9bb899ccb4f
Instruction Fuzzy Hash: DFD0C9315106709BC7265A25BC046D2B3A4BB14319B06142E9483A2570E6E09C90FB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E44D32 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00044D3E,00E439AA), ref: 00E44D37

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b2ac2015db5463be9b1e9652c6def18d9c149b5e1a473400b50f36d03fce3033
Instruction ID: f20752bb2ac809d82ecba602e140a1c56c396856eae043f9e518172853fc11c4
Opcode Fuzzy Hash: b2ac2015db5463be9b1e9652c6def18d9c149b5e1a473400b50f36d03fce3033
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D026 Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

0, xrefs: 00E4D196

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 5a3b1337d93bcb87a2c6d9a67af7990983956be6d5384457711dfdee3ea763f0
Instruction ID: ea27c9a00f72b1af58dcd913aa6128345ed455edb5ebaa88c11ae5342b2b2e6a
Opcode Fuzzy Hash: 5a3b1337d93bcb87a2c6d9a67af7990983956be6d5384457711dfdee3ea763f0
Instruction Fuzzy Hash: C351AA6160C64457DF388968BD96BFF23DB9B92308F18351AE842FB392C641ED038355

Uniqueness

Uniqueness Score: -1.00%

Function 00E633F8 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00E633F8

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 155f193863ed701cf1264db7857f08cec9aab1e4ab99fdd05bf05c74d6f2a994
Instruction ID: 25ea6b58686f89ad0035b19a844b5c3cd1d45521001da968acef97de8d53c7d0
Opcode Fuzzy Hash: 155f193863ed701cf1264db7857f08cec9aab1e4ab99fdd05bf05c74d6f2a994
Instruction Fuzzy Hash: CBA012301012008F57408F37590420F35D46BC018031041155008F1162D62440844600

Uniqueness

Uniqueness Score: -1.00%

Function 00E6D7B0 Relevance: .9, Instructions: 863COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ec0d2613789016f8e166570981dac6513d45474e75d5ab92c6cb21bbed40ee
Instruction ID: 64c40541d84bc11d600f1ebe414907e658e3894ec1c76e70e7d895902663b762
Opcode Fuzzy Hash: f2ec0d2613789016f8e166570981dac6513d45474e75d5ab92c6cb21bbed40ee
Instruction Fuzzy Hash: D6727BB1E002198FCB08CF99D8906ACBBF2FF88354F65516ED855BB381D775A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E679B9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c264c7925b1cd20989524d6ba9ec8ad759a007ce4c6bfc693bfbd7759cfc3e
Instruction ID: b3710765ddcadb12050017ecfc37c9036c7341348f1e3641da9e4d89ab47d369
Opcode Fuzzy Hash: 02c264c7925b1cd20989524d6ba9ec8ad759a007ce4c6bfc693bfbd7759cfc3e
Instruction Fuzzy Hash: 18322531D69F014DD7239635DD22335A388AFB73D8F15E727E81AB5AA6EF29C4874200

Uniqueness

Uniqueness Score: -1.00%

Function 00E6D010 Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0126dfb2ae3e1056ced80c99c70bf663844ba948f92ba6550ff3a83551e61f99
Instruction ID: 673691e92e6cfd56e0220c2036faf440c32529da0a1c92cb59fa550045ab5efc
Opcode Fuzzy Hash: 0126dfb2ae3e1056ced80c99c70bf663844ba948f92ba6550ff3a83551e61f99
Instruction Fuzzy Hash: 09229D70E442059FDB14CF98D8807AEBBB2FF84348F6491A9D814BB391C775DA42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E70AE0 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f852f2e375a073a244264b28629c58ce75767c426af292b006526a9e32402e77
Instruction ID: 9c82b9a2aba1df59e679e1c707f1151819460a2ed4cbd7ebf1ac11962dfa9585
Opcode Fuzzy Hash: f852f2e375a073a244264b28629c58ce75767c426af292b006526a9e32402e77
Instruction Fuzzy Hash: 41F1B431A00255DFCB08CF68C5906ADBBF2EF89314F24C19DD899EB342D775AA06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E6FC10 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d16426023f6fda7057f25bde1b2f9e021c8babce63be733642e1a3c53e9e88f
Instruction ID: 6b29ce398374966020774817d815cbb405ec61819c703c48addfa96c12a11f52
Opcode Fuzzy Hash: 1d16426023f6fda7057f25bde1b2f9e021c8babce63be733642e1a3c53e9e88f
Instruction Fuzzy Hash: 59F14D316082558FC709CF18D5949F67BF1FF69350B1A82F9D88A9B3A7D731A880CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E06C90 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _strcspn
String ID:
API String ID: 3709121408-0
Opcode ID: 50b5aaf59edfbcf982230df0a07688d064cfe648a67ce21bfdd2e6b122bcac06
Instruction ID: c8746d8c87e2042f99defb0f73e905068c58299da1f1f9c200fcb303609fd2b0
Opcode Fuzzy Hash: 50b5aaf59edfbcf982230df0a07688d064cfe648a67ce21bfdd2e6b122bcac06
Instruction Fuzzy Hash: F1C1AF72E00619AFDF19DFA8DC41AAEBBB5FF49310F14412AF805B7291D730A951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E5182F Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abafc3236d98d550c459fb43ca6e14c779c0c3eb39c9853874deb01a087e7c18
Instruction ID: 95f0b3d53565b8484005a411a1d8c5bfbee3466766001ad276a9e42f4d8d6f1a
Opcode Fuzzy Hash: abafc3236d98d550c459fb43ca6e14c779c0c3eb39c9853874deb01a087e7c18
Instruction Fuzzy Hash: 49B15432E052495FDF19CE78C8513EEBBE29F95306F1899D9EC11F7282EA348D498750

Uniqueness

Uniqueness Score: -1.00%

Function 00E4860A Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 2f0c16f39b6cd4bdc3fc5456f900bb0b5debe55c798653ce5dadf7d99fc72a63
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: F091C7721080E34EDB6D463EA67803EFFE15A517A5B1A279ED4F2EB1C1FE20C554D620

Uniqueness

Uniqueness Score: -1.00%

Function 00E488C5 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: b77948d8335a1ceca432ecef9542c82260e677190b00374f8b48de97d77dbf39
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: EF91A67310D4A30EDB69463E967403EFFE15A927A5B0A279ED4F2EB0C1EE20C554E620

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D256 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed4a107fb1cf032bb74807c1c617ef7d55ecb897c6cc7c1e5d6363254fddc8a
Instruction ID: 0e484102559ec436c707525644ce14bd5bcced1e4bf9a95b3e2e8902fc0ef375
Opcode Fuzzy Hash: 4ed4a107fb1cf032bb74807c1c617ef7d55ecb897c6cc7c1e5d6363254fddc8a
Instruction Fuzzy Hash: 4761983170C60997CA389E28BC95BFF73D89B42708F50351AE443FB2D1EA90ED41834A

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D4C0 Relevance: .2, Instructions: 242COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e02e8f51819738c8fa9e6c3b0e916540662d75f587d31d349967f854f8a5a67
Instruction ID: 6323ecd695449e7efc0ba5e3c00f300586544bb08c44ebabbff23f2b02990ed4
Opcode Fuzzy Hash: 1e02e8f51819738c8fa9e6c3b0e916540662d75f587d31d349967f854f8a5a67
Instruction Fuzzy Hash: A86178B1A0C608D7DA389A68BC95BFE73D8DB4630CF54355AE487FB280DE19ED428705

Uniqueness

Uniqueness Score: -1.00%

Function 00E48343 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 94216c1e751fa5de578113c9ed3092cf8eea0dcc9ebc5afb87d1967a18336de2
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 1791F6722080A30EDB2D463EA67407EFFE15A527A5B1A279ED4F3DB1C1FE14C954D620

Uniqueness

Uniqueness Score: -1.00%

Function 00E48099 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 778947efa9c760edc952b236ecacb498bf4dc1967693c83e85f63312d021199a
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F381F73220D0E34EDB2D463EA63407EFFE15A527A5B0A279ED4F2DB1C1EE10C555D620

Uniqueness

Uniqueness Score: -1.00%

Function 00E70330 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68052141a0bdc4cda48e69fe2d9b45b1435d849edd0c152bb8fd28f39dc57a84
Instruction ID: f8c1dff2c26e5367503e77a051aaf77fa7e76f82fad223367ccc7e2ffa3e62a7
Opcode Fuzzy Hash: 68052141a0bdc4cda48e69fe2d9b45b1435d849edd0c152bb8fd28f39dc57a84
Instruction Fuzzy Hash: 96718C31624164AFDB18CF6BECD047A7391E789301346892FEE85EB396C534E539DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E51B86 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f234c35f90504293debdb7ca502e9dfc9ad558d7570e6c8072fc9a31c4e8ee68
Instruction ID: 59c157b3386d1e61ab5832639273d2bdb21c0afcd741aee63caeef00a56b00e7
Opcode Fuzzy Hash: f234c35f90504293debdb7ca502e9dfc9ad558d7570e6c8072fc9a31c4e8ee68
Instruction Fuzzy Hash: B651A171E00219AFDB08CF98C840BEEBBB5FF84305F188599E815AB201D7759E55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E1BF40 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c87d990571d6d3d172ce26cc1b5ca51e77e9bebc740c61ffd216321408f180e
Instruction ID: 6a71009521f201afa2db3d5675774cb274c9c8624ff84c7ca50c3715ee250158
Opcode Fuzzy Hash: 0c87d990571d6d3d172ce26cc1b5ca51e77e9bebc740c61ffd216321408f180e
Instruction Fuzzy Hash: 5541192121D2D89ECB0ACF6D48904AA7FE09EA6101F4884DAFCD8DF347C524DB59D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00E6A9DF Relevance: .1, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b62afb825e04fd8a3e0b51a7584a89a2efd6d4ac992f759bcdc981faa360a2
Instruction ID: f8a73ea11668384b97aeabfde470ab8de4475365091d5ec6ac9f7e421ef13686
Opcode Fuzzy Hash: c4b62afb825e04fd8a3e0b51a7584a89a2efd6d4ac992f759bcdc981faa360a2
Instruction Fuzzy Hash: FA219233F218384B6718C47E8C422B9F2E697CC1517498276E8A5EB3C5D9B8DD16E2E0

Uniqueness

Uniqueness Score: -1.00%

Function 00E6A8B6 Relevance: .1, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1224e6f9f7fc1141f0181b4ca13485a8dc68f6e79e9b519c1739b565a4bbc767
Instruction ID: 4b7add61a70d6131361d51baa545c6560d7a367e16b75d6e713ef52ba1fbf2d9
Opcode Fuzzy Hash: 1224e6f9f7fc1141f0181b4ca13485a8dc68f6e79e9b519c1739b565a4bbc767
Instruction Fuzzy Hash: 8C11C653F30935573B08856A8C93279A5D6EADC64035B933EE5A7D62C0E464EA27E3C0

Uniqueness

Uniqueness Score: -1.00%

Function 00E478D0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e8fe90aa4af1430069ba292de3b76fe3926070aa7463c86e51da61803d423dbf
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: C5115B7724C08243D6048A3EF4B45B7E395EBC532872F637AD3C1AB758D322E9419580

Uniqueness

Uniqueness Score: -1.00%

Function 00E5FD67 Relevance: .0, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c500d551490b2a2eeaa9dd0f018b75ed61514fe47833c09175feba067c394d1
Instruction ID: ddf591723ced9b21d016f1e1a452299d69f3a21fd25a5f1e0e914dfb9d705678
Opcode Fuzzy Hash: 3c500d551490b2a2eeaa9dd0f018b75ed61514fe47833c09175feba067c394d1
Instruction Fuzzy Hash: ACE04632965228EBC724DAD89A04A9AF3FCEB09B12B1149AAF904E3610C2709E04C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00E71D70 Relevance: 80.9, APIs: 20, Strings: 26, Instructions: 441libraryCOMMON

Download Yara Rule

APIs

_strstr.LIBCMT ref: 00E71EE8
_strstr.LIBCMT ref: 00E71EFA
_strstr.LIBCMT ref: 00E71F0C
_strstr.LIBCMT ref: 00E71F1E
LoadLibraryA.KERNEL32(jsproxy.dll), ref: 00E72002
GetLastError.KERNEL32 ref: 00E7200E

Strings

jsproxy.dll, xrefs: 00E71FE6
.turbomeet.com, xrefs: 00E71F06
InternetGetProxyInfo, xrefs: 00E7209F
Failed to 111 LoadLibrary %d, xrefs: 00E72015
The script: %s, xrefs: 00E721D8
666 %s, xrefs: 00E72335
gomeetnow.com, xrefs: 00E71EF4
https://%s%s, xrefs: 00E71E95
Failed to Detect 333 %d, xrefs: 00E720DA
http://%s:%d%s, xrefs: 00E71EBF
%s%s, xrefs: 00E71F68
gosupportnow.com, xrefs: 00E71F18
http://%s:%d, xrefs: 00E71ED4
InternetDeInitializeAutoProxyDll, xrefs: 00E72085
http://%s%s, xrefs: 00E71E65
Failed to 777 error %d, xrefs: 00E7236E
https://%s, xrefs: 00E71EA7
http://%s, xrefs: 00E71E77
host=%s; url=%s, WPADLocation = %s, xrefs: 00E71F91
c:\rhub2\code\hlib\hlib.cpp, xrefs: 00E71F9B, 00E7201F, 00E720E4, 00E721E2, 00E7224A, 00E722EA, 00E7233F, 00E72378, 00E723C3
Failed to 555 error %d, %s, xrefs: 00E722E0
rhubcom.com, xrefs: 00E71EE2
InternetInitializeAutoProxyDll, xrefs: 00E7206B
Failed to 444 error %d return value %d for WPADLocation = %s, xrefs: 00E72240
Failed to 222 GetProcAddress %d, xrefs: 00E723B9
HR::Detect, xrefs: 00E71FA2, 00E72025, 00E720EB, 00E721ED, 00E72251, 00E722F1, 00E72346, 00E7237F, 00E723CA

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _strstr$ErrorLastLibraryLoad
String ID: %s%s$.turbomeet.com$666 %s$Failed to 111 LoadLibrary %d$Failed to 222 GetProcAddress %d$Failed to 444 error %d return value %d for WPADLocation = %s$Failed to 555 error %d, %s$Failed to 777 error %d$Failed to Detect 333 %d$HR::Detect$InternetDeInitializeAutoProxyDll$InternetGetProxyInfo$InternetInitializeAutoProxyDll$The script: %s$c:\rhub2\code\hlib\hlib.cpp$gomeetnow.com$gosupportnow.com$host=%s; url=%s, WPADLocation = %s$http://%s$http://%s%s$http://%s:%d$http://%s:%d%s$https://%s$https://%s%s$jsproxy.dll$rhubcom.com
API String ID: 1723602470-3407230231
Opcode ID: b5bca9d5409668d17d22f1b88720895f6b71c53e2a2a77d6e1713d5cd1187166
Instruction ID: 0ac539d3aff349a502f2dfe54f3f44eea8f7450a6ebb61b62870310573f54ecf
Opcode Fuzzy Hash: b5bca9d5409668d17d22f1b88720895f6b71c53e2a2a77d6e1713d5cd1187166
Instruction Fuzzy Hash: 9BF1A471A44309BEDF239B60DC46FEA77BCAF15704F0090E9F508BA192D7716B898B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E09B00 Relevance: 44.0, APIs: 3, Strings: 22, Instructions: 281COMMON

Download Yara Rule

APIs

Part of subcall function 00E13110: GetModuleFileNameW.KERNEL32(00000000,?,00000200,?,?,?,?,00E09B9A,?,?,?,?,?,?,?,00000000), ref: 00E1321F
Part of subcall function 00E13110: GetLongPathNameW.KERNEL32(?,?,00000200), ref: 00E1323A
Part of subcall function 00E13110: GetUserNameW.ADVAPI32(?,00000200), ref: 00E132B9

_strstr.LIBCMT ref: 00E09BBD
GetTempPathW.KERNEL32(00000200,?), ref: 00E09BE0

Part of subcall function 00E16610: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000,?,00003829,?,?,00E017B0,?,00000000,00001000), ref: 00E16644
Part of subcall function 00E16610: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,00E017B0,?,00000000,00001000,?,?), ref: 00E16661

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

_strstr.LIBCMT ref: 00E09D09

Strings

--called_by_client_to_sync, xrefs: 00E09D03
failed to load %s, xrefs: 00E09CC1, 00E09F5B
<__DESKTOP_DIRECTORY__>, xrefs: 00E09EAF
SetupHandler::InitializeSetup, xrefs: 00E09CD5, 00E09D54, 00E09DCE, 00E09E3D, 00E09EFB
</__DESKTOP_DIRECTORY__>, xrefs: 00E09EAA
%s\%s, xrefs: 00E09C4B, 00E09F28
TMServiceCache.txt, xrefs: 00E09DEE
Refined directories: m_sUserApplicationDirectory = %s; m_sDesktopDirectory = %s, m_sStartMenuDirectory = %s, xrefs: 00E09EEA
Refine directory by %s, xrefs: 00E09E2C
c:\rhub2\code\setuphandler\setuphandler.cpp, xrefs: 00E09CCB, 00E09D4D, 00E09DC7, 00E09E36, 00E09EF4
--called_by_downloader, xrefs: 00E09BB7
Read from sCommandParameterFile %s, xrefs: 00E09CAB
%s\%s\%s, xrefs: 00E09D31, 00E09E06
rsp1024hcmd.txt, xrefs: 00E09C39, 00E09D19
\, xrefs: 00E09C1B
sCommandParameterFile = %s, xrefs: 00E09D43
</__USER_APPLICATION_DIRECTORY__>, xrefs: 00E09E8E
Read from sCommandParameterFile = %s, xrefs: 00E09DBD
TurboMeeting, xrefs: 00E09D1E, 00E09DF3, 00E09F1C
<__USER_APPLICATION_DIRECTORY__>, xrefs: 00E09E93
<__START_MENUE_DIRECTORY__>, xrefs: 00E09ECB
</__START_MENUE_DIRECTORY__>, xrefs: 00E09EC6

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Name$ByteCharCriticalMultiPathSectionWide_strstr$EnterFileLeaveLongModuleTempUser
String ID: %s\%s$%s\%s\%s$--called_by_client_to_sync$--called_by_downloader$</__DESKTOP_DIRECTORY__>$</__START_MENUE_DIRECTORY__>$</__USER_APPLICATION_DIRECTORY__>$<__DESKTOP_DIRECTORY__>$<__START_MENUE_DIRECTORY__>$<__USER_APPLICATION_DIRECTORY__>$Read from sCommandParameterFile %s$Read from sCommandParameterFile = %s$Refine directory by %s$Refined directories: m_sUserApplicationDirectory = %s; m_sDesktopDirectory = %s, m_sStartMenuDirectory = %s$SetupHandler::InitializeSetup$TMServiceCache.txt$TurboMeeting$\$c:\rhub2\code\setuphandler\setuphandler.cpp$failed to load %s$rsp1024hcmd.txt$sCommandParameterFile = %s
API String ID: 4122698823-3744154938
Opcode ID: ac4ba0c48320a7d073df932bb7c0cf940dee7fe1e226690e627d3e715abf081c
Instruction ID: 687b817a2e04341f3d10f414a088a8b1fd9cca332bfe7637f4ac423a26ecafb9
Opcode Fuzzy Hash: ac4ba0c48320a7d073df932bb7c0cf940dee7fe1e226690e627d3e715abf081c
Instruction Fuzzy Hash: 14B194B1A44308BAEB21DB60CC46FDA77FCAF05700F005595F65DB61C3DAB16AC88B65

Uniqueness

Uniqueness Score: -1.00%

Function 00E01281 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 42registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageW.USER32(Native), ref: 00E42254
RegisterWindowMessageW.USER32(OwnerLink), ref: 00E42261
RegisterWindowMessageW.USER32(ObjectLink), ref: 00E4226F
RegisterWindowMessageW.USER32(Embedded Object), ref: 00E4227D
RegisterWindowMessageW.USER32(Embed Source), ref: 00E4228B
RegisterWindowMessageW.USER32(Link Source), ref: 00E42299
RegisterWindowMessageW.USER32(Object Descriptor), ref: 00E422A7
RegisterWindowMessageW.USER32(Link Source Descriptor), ref: 00E422B5
RegisterWindowMessageW.USER32(FileName), ref: 00E422C3
RegisterWindowMessageW.USER32(FileNameW), ref: 00E422D1
RegisterWindowMessageW.USER32(Rich Text Format), ref: 00E422DF
RegisterWindowMessageW.USER32(RichEdit Text and Objects), ref: 00E422ED

Strings

ObjectLink, xrefs: 00E42267
Rich Text Format, xrefs: 00E422D7
Link Source Descriptor, xrefs: 00E422AD
RichEdit Text and Objects, xrefs: 00E422E5
Embedded Object, xrefs: 00E42275
Native, xrefs: 00E4224D
Embed Source, xrefs: 00E42283
OwnerLink, xrefs: 00E4225A
FileNameW, xrefs: 00E422C9
FileName, xrefs: 00E422BB
Object Descriptor, xrefs: 00E4229F
Link Source, xrefs: 00E42291

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: MessageRegisterWindow
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1814269913-2889995556
Opcode ID: 68717a9f9dd75b6d898d86c9b462396821262252e93b209cacd027692faa63b5
Instruction ID: 08d75178374c451a8dbd5d33b4f3218610029577a16eba8bc9bd57d6bb2e265d
Opcode Fuzzy Hash: 68717a9f9dd75b6d898d86c9b462396821262252e93b209cacd027692faa63b5
Instruction Fuzzy Hash: E01147B19427019FC720AFF2AC0D48A7EA0EF18F013015A19A25EB76B1E77591C98F85

Uniqueness

Uniqueness Score: -1.00%

Function 00E17AE0 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 171librarythreadCOMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(raising exception,904898A6,771EF860,00000000,?,?,?,?,00000000,00E47BD0,00E9A818,000000FE), ref: 00E17B42
RaiseException.KERNEL32(80000003,?,?,?,?,?,?,?,00000000,00E47BD0,00E9A818,000000FE), ref: 00E17B50
OutputDebugStringW.KERNEL32(writing minidump,904898A6,771EF860,00000000,?,?,?,?,00000000,00E47BD0,00E9A818,000000FE), ref: 00E17B88
GetCurrentThreadId.KERNEL32 ref: 00E17B8E
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00E47BD0,00E9A818,000000FE), ref: 00E17BAF
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,00000000,00E47BD0,00E9A818,000000FE), ref: 00E17BBC
LoadLibraryW.KERNEL32(?,?,?,?,?,00000000,00E47BD0,00E9A818,000000FE), ref: 00E17BF1
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,00000000,00E47BD0,00E9A818,000000FE), ref: 00E17C0D
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00E47BD0,00E9A818,000000FE), ref: 00E17C59
__swprintf.LEGACY_STDIO_DEFINITIONS ref: 00E17C65
LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,00000000,00E47BD0,00E9A818,000000FE), ref: 00E17CDA
LoadLibraryW.KERNEL32(dbghelp.dll,?,?,?,?,?,?,00000000,00E47BD0,00E9A818,000000FE), ref: 00E17CE7

Strings

TMPlaying, xrefs: 00E17C2C
\dbghelp.dll, xrefs: 00E17BE1, 00E17CC4
dbghelp.dll, xrefs: 00E17CE2
raising exception, xrefs: 00E17B3D
writing minidump, xrefs: 00E17B83
MiniDumpWriteDump, xrefs: 00E17CF7

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad$CurrentDebugFileOutputPathString$ExceptionModuleNameProcessRaiseRemoveSpecTempThread__swprintf
String ID: MiniDumpWriteDump$TMPlaying$\dbghelp.dll$dbghelp.dll$raising exception$writing minidump
API String ID: 1873934928-1408066759
Opcode ID: fb209b4b522a1c1a53f6a2621672a8642f8ed247a2c94f9e378fdda4b55fa7a9
Instruction ID: 0b3e6dfa85e07f47b01ad59c77398c62e260d4605ff12e890c837f35324ab139
Opcode Fuzzy Hash: fb209b4b522a1c1a53f6a2621672a8642f8ed247a2c94f9e378fdda4b55fa7a9
Instruction Fuzzy Hash: C151E376900249AFCB20DF68DC44BEAB7B5FF88714F158128ED0DBB291DB309949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E3D0CB Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 419windowkeyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00E3D0D2
GetFocus.USER32 ref: 00E3D0F4
GetParent.USER32(?), ref: 00E3D137
GetParent.USER32(?), ref: 00E3D14A
GetKeyState.USER32(00000012), ref: 00E3D21D
IsWindow.USER32(?), ref: 00E3D2AD
GetFocus.USER32 ref: 00E3D2B7
IsWindow.USER32(?), ref: 00E3D2CF
GetFocus.USER32 ref: 00E3D2D9
IsDialogMessageW.USER32(?,?), ref: 00E3D352
GetFocus.USER32 ref: 00E3D362
GetFocus.USER32 ref: 00E3D379
GetKeyState.USER32(00000010), ref: 00E3D398
MessageBeep.USER32(00000000), ref: 00E3D49E

Strings

+, xrefs: 00E3D43E

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Focus$MessageParentStateWindow$BeepDialogH_prolog3_catch
String ID: +
API String ID: 44247675-2126386893
Opcode ID: 73af97d9e848dc23490f5f6ea9ac38293bab7120b9561bbfb2daf339f2e3d046
Instruction ID: 3f9991f902c3bcb9f8506b88602ba12aa0b81a423357779cf43fa05894db3040
Opcode Fuzzy Hash: 73af97d9e848dc23490f5f6ea9ac38293bab7120b9561bbfb2daf339f2e3d046
Instruction Fuzzy Hash: 7AD1DF31A082259FDF25AB65EC4DABE7FB5EF44714F142119E846BB2A2CB30CC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E0A8E0 Relevance: 31.8, APIs: 4, Strings: 14, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 00E12230: __fread_nolock.LIBCMT ref: 00E122C3

GetFileAttributesW.KERNEL32(?), ref: 00E0AA95
GetFileAttributesW.KERNEL32(?), ref: 00E0AAA7

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Strings

--called_by_client_to_sync, xrefs: 00E0AC51
.zip, xrefs: 00E0A95F, 00E0A9FF
.txt, xrefs: 00E0AB58
.cfg, xrefs: 00E0AB5D
c:\rhub2\pcsetup\pcsetup.cpp, xrefs: 00E0A902
c:\rhub2\code\setuphandler\setuphandler.cpp, xrefs: 00E0AABC, 00E0AB2C, 00E0AC12, 00E0AC71
--called_by_downloader, xrefs: 00E0AC3F
starter.cfg, xrefs: 00E0A92A, 00E0AB1D, 00E0AB77
Loaded %s successfully, xrefs: 00E0AB22, 00E0AC08
Delay to load setting, xrefs: 00E0AC67
PCClientAccessory.zip, xrefs: 00E0AA19
PCClient.zip, xrefs: 00E0A979
both client files are available, xrefs: 00E0AAB2
SetupHandler::LoadSetupConfigure, xrefs: 00E0AAC3, 00E0AB33, 00E0AC19, 00E0AC78

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AttributesCriticalFileSection$EnterLeave__fread_nolock
String ID: --called_by_client_to_sync$--called_by_downloader$.cfg$.txt$.zip$Delay to load setting$Loaded %s successfully$PCClient.zip$PCClientAccessory.zip$SetupHandler::LoadSetupConfigure$both client files are available$c:\rhub2\code\setuphandler\setuphandler.cpp$c:\rhub2\pcsetup\pcsetup.cpp$starter.cfg
API String ID: 936925517-164824950
Opcode ID: 3ea0f0ed5d664bef1b90b3da92fb4b6d1d20d56e9b03e8b6d720b4c43f8aa059
Instruction ID: a32ad6faaaf27d536f8558bf7c7d745a7dfe9580f951a652fc23dc7f992cc339
Opcode Fuzzy Hash: 3ea0f0ed5d664bef1b90b3da92fb4b6d1d20d56e9b03e8b6d720b4c43f8aa059
Instruction Fuzzy Hash: 3DA10571A40308ABDB24DB24CC46B9D77B4FF04308F14A5E8E5487B2D2DBB29AC58BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2F894 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 162libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,?,00000108,00E265EA,?,?), ref: 00E2F8C7
GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 00E2F8D7
EncodePointer.KERNEL32(00000000,?,?,?,00000108,00E265EA,?,?), ref: 00E2F8E0
DecodePointer.KERNEL32(15066AE0,?,?,?,?,?,00000108,00E265EA,?,?), ref: 00E2F8EE
GetUserDefaultUILanguage.KERNEL32(?,?,?,00000108,00E265EA,?,?), ref: 00E2F918
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 00E2F928
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 00E2F957
GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E2F985
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 00E2F995
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 00E2F9CD
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 00E2FA03

Strings

e, xrefs: 00E2F921, 00E2F92D, 00E2F938, 00E2F949, 00E2F95C, 00E2F968, 00E2F98E, 00E2F99A, 00E2F9A6, 00E2F9C0, 00E2F9D2, 00E2F9E1, 00E2F9F8, 00E2FA0B, 00E2FA16, 00E2F926, 00E2F930, 00E2F93B, 00E2F952, 00E2F95F, 00E2F96B, 00E2F993, 00E2F99D, 00E2F9A9, 00E2F9C9, 00E2F9D5, 00E2F9E4, 00E2F9FD, 00E2FA0E, 00E2FA19
GetThreadPreferredUILanguages, xrefs: 00E2F8D1
kernel32.dll, xrefs: 00E2F8C2
e, xrefs: 00E2F8A8, 00E2F8FF, 00E2F927, 00E2F953, 00E2F994, 00E2F9CA

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: DownlevelLocaleName___crt$DefaultLanguagePointer$AddressDecodeEncodeHandleModuleProcSystemUser
String ID: GetThreadPreferredUILanguages$kernel32.dll$e$e
API String ID: 404278886-1276406016
Opcode ID: 5e46b18a8a8ef16a9153f776414cebde5803bb7a23d268950675decb7fafe2d8
Instruction ID: 837c334a74a5df47e254a0ab0488f91d46e31b9a081e3f9799195c63b5d30fcc
Opcode Fuzzy Hash: 5e46b18a8a8ef16a9153f776414cebde5803bb7a23d268950675decb7fafe2d8
Instruction Fuzzy Hash: 175118B290021AAFCB05EBA5D985DAFB7BCEF48340F111525F905F7251DB34AA09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E17160 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Internet Explorer,00000000,00000001,00000000,00000000), ref: 00E17182
RegQueryValueExW.ADVAPI32(?,Build,00000000,00000000,?,?), ref: 00E171B5
RegQueryValueExW.ADVAPI32(?,Version,00000000,00000000,?,?), ref: 00E1720C
RegCloseKey.ADVAPI32(?), ref: 00E17248

Part of subcall function 00E19B10: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000002,00000000,00000000,00000000,00000000,771EF860,?,?,00E18284,?,?,00000200), ref: 00E19B40
Part of subcall function 00E19B10: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000002,00000000,00000000,00000000,00000000,00000000,?,?,00E18284,?,?,00000200), ref: 00E19B62

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000001,?), ref: 00E17261
RegQueryValueExW.ADVAPI32(?,MinorVersion,00000000,00000000,?,?), ref: 00E1728A
RegCloseKey.ADVAPI32(?), ref: 00E172C6

Strings

Software\Microsoft\Internet Explorer, xrefs: 00E17178
MinorVersion, xrefs: 00E17281
Version, xrefs: 00E17203
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00E17257
Build, xrefs: 00E171AC
P, xrefs: 00E1726F

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue$ByteCharCloseMultiOpenWide
String ID: Build$MinorVersion$P$Software\Microsoft\Internet Explorer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$Version
API String ID: 678391126-2977682357
Opcode ID: 8016fb7afe43388156f4ba1c09aa2a7dd4e58834222de0c2559ea754fea7deaf
Instruction ID: 590a2871d10445aacaa259218485261b4de95017de786b04aa0d816754bedd3d
Opcode Fuzzy Hash: 8016fb7afe43388156f4ba1c09aa2a7dd4e58834222de0c2559ea754fea7deaf
Instruction Fuzzy Hash: FA41B17465C305EAD710DF61EC06FAAB7B8BF48B00F005829FD49B25E1EB70A589CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00E5C02C Relevance: 22.8, APIs: 15, Instructions: 307COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E5C09C
_free.LIBCMT ref: 00E5C0B2
_free.LIBCMT ref: 00E5C0C3
_free.LIBCMT ref: 00E5C0D4
_free.LIBCMT ref: 00E5C0EB
GetCPInfo.KERNEL32(?,?), ref: 00E5C133

Part of subcall function 00E66F05: _free.LIBCMT ref: 00E66F70

_free.LIBCMT ref: 00E5C2FD
_free.LIBCMT ref: 00E5C310
_free.LIBCMT ref: 00E5C31E
_free.LIBCMT ref: 00E5C329
_free.LIBCMT ref: 00E5C36B
_free.LIBCMT ref: 00E5C373
_free.LIBCMT ref: 00E5C37B
_free.LIBCMT ref: 00E5C383
_free.LIBCMT ref: 00E5C391

Part of subcall function 00E65081: MultiByteToWideChar.KERNEL32(00E5C952,00000000,?,?,00000000,00000000,?,00000000,7FFFFFFF,-00000001,00E5C952,00000001,?,?,00000001,?), ref: 00E650C9
Part of subcall function 00E65081: MultiByteToWideChar.KERNEL32(00E5C952,00000001,?,?,00000000,?), ref: 00E65153
Part of subcall function 00E65081: GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E65165
Part of subcall function 00E65081: __freea.LIBCMT ref: 00E6516E

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InfoStringType__freea
String ID:
API String ID: 607174680-0
Opcode ID: 383c6df831668a02816b901ef57794f5e37df42a7f483600b968c6d1dccf97bc
Instruction ID: 2d37239c16e7910962f699cf9e83932ada5fcc7e7afe7a9e1a46f582518ec8c6
Opcode Fuzzy Hash: 383c6df831668a02816b901ef57794f5e37df42a7f483600b968c6d1dccf97bc
Instruction Fuzzy Hash: 7EB1B37090430A9FDB21DFB4C895BEEBBF5FF08705F245469E849B7292DA719849CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E19D30 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 144registrynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E16680: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,00E016A1,TMSetupWindow,?,00000200,?,?,?,?,00E75578,000000FF), ref: 00E1669A

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000002,?,?,?,?), ref: 00E19D8C
RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,?,?,?,?,?,?,?,?), ref: 00E19DF0
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?), ref: 00E19DFE
RegCloseKey.ADVAPI32(?), ref: 00E19E39
RegSetValueExW.ADVAPI32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00E19E7B
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?), ref: 00E19E85
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?), ref: 00E19EAB
WSAGetLastError.WS2_32(?,?), ref: 00E19EB5

Strings

RegSetValueEx() failed. iErrorCode = %d, Error = %s, sKey = %s, sName = %s, sValue = %s, xrefs: 00E19E14, 00E19E9B
RegistryHandler::AddRegistryValue(), xrefs: 00E19E22, 00E19ED9
RegOpenKeyEx() failed. iErrorCode = %d, Error = %s, sKey = %s, sName = %s, sValue = %s, xrefs: 00E19ECB
c:\rhub2\code\utility\registryhandler.cpp, xrefs: 00E19E1B, 00E19ED2

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CloseValue$ByteCharMultiOpenWide
String ID: RegOpenKeyEx() failed. iErrorCode = %d, Error = %s, sKey = %s, sName = %s, sValue = %s$RegSetValueEx() failed. iErrorCode = %d, Error = %s, sKey = %s, sName = %s, sValue = %s$RegistryHandler::AddRegistryValue()$c:\rhub2\code\utility\registryhandler.cpp
API String ID: 1877916705-1395665049
Opcode ID: e9263ae33c623f9977cad4e979a31ed369c77d3fdb1b303d52080e1e59584414
Instruction ID: 8fdde00c4a816f18813d433b8dcf68a51aaaaf19b40d978cabc5187c3bad774e
Opcode Fuzzy Hash: e9263ae33c623f9977cad4e979a31ed369c77d3fdb1b303d52080e1e59584414
Instruction Fuzzy Hash: 8741A371644304BFE220DB11DC86FEB77ECEF49714F005528FA4DB2192EB61A949C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E65217 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00E6525B

Part of subcall function 00E64525: _free.LIBCMT ref: 00E64542
Part of subcall function 00E64525: _free.LIBCMT ref: 00E64554
Part of subcall function 00E64525: _free.LIBCMT ref: 00E64566
Part of subcall function 00E64525: _free.LIBCMT ref: 00E64578
Part of subcall function 00E64525: _free.LIBCMT ref: 00E6458A
Part of subcall function 00E64525: _free.LIBCMT ref: 00E6459C
Part of subcall function 00E64525: _free.LIBCMT ref: 00E645AE
Part of subcall function 00E64525: _free.LIBCMT ref: 00E645C0
Part of subcall function 00E64525: _free.LIBCMT ref: 00E645D2
Part of subcall function 00E64525: _free.LIBCMT ref: 00E645E4
Part of subcall function 00E64525: _free.LIBCMT ref: 00E645F6
Part of subcall function 00E64525: _free.LIBCMT ref: 00E64608
Part of subcall function 00E64525: _free.LIBCMT ref: 00E6461A

_free.LIBCMT ref: 00E65250

Part of subcall function 00E5D0F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00E5B4AC,?,?), ref: 00E5D10B
Part of subcall function 00E5D0F5: GetLastError.KERNEL32(?,?,00E5B4AC,?,?), ref: 00E5D11D

_free.LIBCMT ref: 00E65272
_free.LIBCMT ref: 00E65287
_free.LIBCMT ref: 00E65292
_free.LIBCMT ref: 00E652B4
_free.LIBCMT ref: 00E652C7
_free.LIBCMT ref: 00E652D5
_free.LIBCMT ref: 00E652E0
_free.LIBCMT ref: 00E65318
_free.LIBCMT ref: 00E6531F
_free.LIBCMT ref: 00E6533C
_free.LIBCMT ref: 00E65354

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: e59ecfddde8c85ee534548f3770b5da6cff233b9b9a487ddd703129a6327abe1
Instruction ID: 8296f0f2d54662fc6b00390c8fa6ae99cfbdac807d5e568b05ae9f1322e8a18e
Opcode Fuzzy Hash: e59ecfddde8c85ee534548f3770b5da6cff233b9b9a487ddd703129a6327abe1
Instruction Fuzzy Hash: 55318F72644B02DFEB30AA79EC49B5B73E9EF01395F24681AE458F72A1DF70AC458710

Uniqueness

Uniqueness Score: -1.00%

Function 00E17D50 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 132filetimeCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00000000,0000040E,?,?,00000000,?,?,?,?,00E47BD0,00E9A838,000000FE), ref: 00E17DCC
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00E47BD0,00E9A838,000000FE), ref: 00E17E16
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00E47BD0,00E9A838,000000FE), ref: 00E17E31
GetFileTime.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00E47BD0,00E9A838,000000FE), ref: 00E17E43
CloseHandle.KERNEL32(00000000,?,?,?,?,00E47BD0,00E9A838,000000FE), ref: 00E17E63

Strings

%s, xrefs: 00E17E81
Version Information:, xrefs: 00E17EC6
File Size: %-10d File Time: %s, xrefs: 00E17EB8
Image Base: 0x%08x Image Size: 0x%08x, xrefs: 00E17E92
Checksum: 0x%08x Time Stamp: 0x%08x, xrefs: 00E17EA3
Module %d, xrefs: 00E17E6F

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseCreateHandleModuleNameSizeTime
String ID: %s$Checksum: 0x%08x Time Stamp: 0x%08x$File Size: %-10d File Time: %s$Image Base: 0x%08x Image Size: 0x%08x$Module %d$Version Information:
API String ID: 3087221180-4170275160
Opcode ID: ee18649ff5778e6d80918af36d9d374fd76c946e209aae1eea35cbef038e458f
Instruction ID: e4fce570b617a35433b3e66dc0fdb43ac893c52255ecba365339a22426f1baa8
Opcode Fuzzy Hash: ee18649ff5778e6d80918af36d9d374fd76c946e209aae1eea35cbef038e458f
Instruction Fuzzy Hash: C3417DB1A44248AFCB20DFA4DC41FEE77B8BF09704F405529FA19B6182D774A654CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00E64623 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E6466B
_free.LIBCMT ref: 00E6468F
_free.LIBCMT ref: 00E6469C
_free.LIBCMT ref: 00E646C1
_free.LIBCMT ref: 00E646CE
_free.LIBCMT ref: 00E646D7
_free.LIBCMT ref: 00E649B5
_free.LIBCMT ref: 00E649BD

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 952113a65a11a2aa5b390834f46b560fd4c18085fed53e3248da0e992cee0f9f
Instruction ID: 7b24b71f45b259016794c6ae0da9ae0cafdc7cb353a13a7fe10e5a3b72bb5576
Opcode Fuzzy Hash: 952113a65a11a2aa5b390834f46b560fd4c18085fed53e3248da0e992cee0f9f
Instruction Fuzzy Hash: EAC154B2E80205AFDB20DBA8DC86FEF77F8AB49740F155565FA04FB2C2D6709A418750

Uniqueness

Uniqueness Score: -1.00%

Function 00E418F3 Relevance: 18.2, APIs: 12, Instructions: 223COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E418FA
_strlen.LIBCMT ref: 00E41936

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_strlen
String ID:
API String ID: 782648989-0
Opcode ID: e1310441310796680981a6af369f170310f5167c735f33c770edfe63d08a00ca
Instruction ID: 311d5ae452575e60115ec99679216d6a5c2180abbd8148d8bcd7f6dcc77aa853
Opcode Fuzzy Hash: e1310441310796680981a6af369f170310f5167c735f33c770edfe63d08a00ca
Instruction Fuzzy Hash: 23818B71D00229AFDF25DFA5EC85AEEBBB8FF04354F141169E905B7292DB309984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E322F4 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 406windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E322FE
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00E324F7
_wcsrchr.LIBVCRUNTIME ref: 00E325AD
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00E326C8
InvalidateRect.USER32(?,00000000,00000001), ref: 00E326EE
UpdateWindow.USER32(?), ref: 00E32710
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00E327CD
InvalidateRect.USER32(?,00000000,00000001), ref: 00E327F3
UpdateWindow.USER32(?), ref: 00E32815

Strings

:/\, xrefs: 00E32541

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$InvalidateRectUpdateWindow$H_prolog3__wcsrchr
String ID: :/\
API String ID: 3028567741-2793184486
Opcode ID: 009d19686227523197f8690b0b8b4c7c541a398601bfc842bade9a7c38993fa2
Instruction ID: 129b4a036c273b11d421f0c7b27ccad38fa5a45327de18b9d789a630f4180b39
Opcode Fuzzy Hash: 009d19686227523197f8690b0b8b4c7c541a398601bfc842bade9a7c38993fa2
Instruction Fuzzy Hash: 77F13C316002189FCB18EF24CD99BAD7BB5BF85301F1511D9E50AB72A2DB74AE89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E03555 Relevance: 16.7, APIs: 11, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 00E03774: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E0377D

CopyRect.USER32(?,?), ref: 00E03594
OffsetRect.USER32(?,?,?), ref: 00E035FB
GetSysColor.USER32(00000012), ref: 00E03667
GetSysColor.USER32(00000012), ref: 00E03679
GetSysColor.USER32(0000000F), ref: 00E03687
GetSysColor.USER32(00000012), ref: 00E036B4
GetSysColor.USER32(0000000F), ref: 00E036C6
OffsetRect.USER32(?,00000001,00000001), ref: 00E036DC
GetSysColor.USER32(00000014), ref: 00E036EC
OffsetRect.USER32(?,000000FF,000000FF), ref: 00E0370B
GetSysColor.USER32(00000010), ref: 00E03715

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Color$Rect$Offset$CopyMessageSend
String ID:
API String ID: 4180492184-0
Opcode ID: ad961339cebf741575bd863d6a40861a43260e401f3377ce670dad5c24eac6c4
Instruction ID: 2ba83c221c838dde5448aad7171e10349c1d9a5a26d19a3361970043fdb63c08
Opcode Fuzzy Hash: ad961339cebf741575bd863d6a40861a43260e401f3377ce670dad5c24eac6c4
Instruction Fuzzy Hash: AD615C71A00615AFCF14DFB8DC89AAEBBB9FF49320F144628E516A72D1CB70A944CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00E1A2B0 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 00E16680: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,00E016A1,TMSetupWindow,?,00000200,?,?,?,?,00E75578,000000FF), ref: 00E1669A

__fread_nolock.LIBCMT ref: 00E1A435

Strings

c:\rhub2\code\utility\statusfilehandler.cpp, xrefs: 00E1A4E0, 00E1A532, 00E1A5C2
%s\%s, xrefs: 00E1A3DE
Invalid iStatusFileType = %d, xrefs: 00E1A5BB
failed to open %s for writing, xrefs: 00E1A528
setup_status.txt, xrefs: 00E1A364
StatusFileHandler::WriteStatus, xrefs: 00E1A4E7, 00E1A539, 00E1A5C9
failed to replace %s for %s in %s, xrefs: 00E1A4D6
<__ClientCalledToLaunch__>Y</__ClientCalledToLaunch__>, xrefs: 00E1A373

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide__fread_nolock
String ID: %s\%s$<__ClientCalledToLaunch__>Y</__ClientCalledToLaunch__>$Invalid iStatusFileType = %d$StatusFileHandler::WriteStatus$c:\rhub2\code\utility\statusfilehandler.cpp$failed to open %s for writing$failed to replace %s for %s in %s$setup_status.txt
API String ID: 3992567027-1419269579
Opcode ID: 1ce00dc01bdb13865c2acbe61b222e8eb8ad04aedd685225949840fd445e6884
Instruction ID: 5b8cce887ebd63155fb9fe49aab994ff4481bf71972aadef8b03da63a918f2cb
Opcode Fuzzy Hash: 1ce00dc01bdb13865c2acbe61b222e8eb8ad04aedd685225949840fd445e6884
Instruction Fuzzy Hash: FBA13871640248AFEB24EF64CC46FEE37AAEF45704F041128F918B7282DB7699848761

Uniqueness

Uniqueness Score: -1.00%

Function 00E19F10 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 288COMMON

Download Yara Rule

APIs

Part of subcall function 00E16680: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,00E016A1,TMSetupWindow,?,00000200,?,?,?,?,00E75578,000000FF), ref: 00E1669A

__fread_nolock.LIBCMT ref: 00E1A095

Strings

c:\rhub2\code\utility\statusfilehandler.cpp, xrefs: 00E1A10D, 00E1A184, 00E1A1F4
%s\%s, xrefs: 00E1A03E
failed to find %s in %s, xrefs: 00E1A17D
Invalid iStatusFileType = %d, xrefs: 00E1A1ED
failed to open %s for writing, xrefs: 00E1A106
setup_status.txt, xrefs: 00E19FC4
<__ClientCalledToLaunch__>Y</__ClientCalledToLaunch__>, xrefs: 00E19FD3
StatusFileHandler::ReadStatus, xrefs: 00E1A114, 00E1A18B, 00E1A1FB

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide__fread_nolock
String ID: %s\%s$<__ClientCalledToLaunch__>Y</__ClientCalledToLaunch__>$Invalid iStatusFileType = %d$StatusFileHandler::ReadStatus$c:\rhub2\code\utility\statusfilehandler.cpp$failed to find %s in %s$failed to open %s for writing$setup_status.txt
API String ID: 3992567027-1335245224
Opcode ID: 5dbcadc6da9cb4edece324c02118cf2d59c2221cdea7d50f739e61266917b116
Instruction ID: d6a84ce223aaad5299186ae0cdbb2185fbdc809f28b17eeb0892347f395dcbda
Opcode Fuzzy Hash: 5dbcadc6da9cb4edece324c02118cf2d59c2221cdea7d50f739e61266917b116
Instruction Fuzzy Hash: EEA10471640348AFEB24EF64CC86FEE37A9EF44700F541528F918B7292D7769A84C761

Uniqueness

Uniqueness Score: -1.00%

Function 00E037E6 Relevance: 15.2, APIs: 10, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E037ED
GetClientRect.USER32(?,?), ref: 00E03817
CreateCompatibleDC.GDI32(00000000), ref: 00E03820
CreateRoundRectRgn.GDI32(?,?,?,?,00000000,00000000), ref: 00E03872
FrameRgn.GDI32(00000001,00000000,?,00000001,00000001), ref: 00E0389F
SetWindowRgn.USER32(?,00000000,00000000), ref: 00E038AC
CreateRoundRectRgn.GDI32(?,?,?,?,00000000,00000000), ref: 00E039A0
FrameRgn.GDI32(00000000,00000000,?,00000001,00000001), ref: 00E039C9
SetWindowRgn.USER32(?,00000000,00000000), ref: 00E039D6
DeleteDC.GDI32(?), ref: 00E039EE

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CreateRect$FrameRoundWindow$ClientCompatibleDeleteH_prolog3_
String ID:
API String ID: 1417020339-0
Opcode ID: 5ceb9063203e4c0df1d59be51f79560ee878c8b382289dad9626f8afcfe61580
Instruction ID: b58cde3c7ffd1e66e006bfc3531bdd26a9e94b99825a96572910500f78542d93
Opcode Fuzzy Hash: 5ceb9063203e4c0df1d59be51f79560ee878c8b382289dad9626f8afcfe61580
Instruction Fuzzy Hash: 1B6116B1A00209AFDF15EBA4DC86EEEBBBAFF48304F106119F556B2291DB715D44CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E2D417 Relevance: 15.1, APIs: 10, Instructions: 110memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00E2D41E
EnterCriticalSection.KERNEL32(?,00000010,00E2D319,?,00000000), ref: 00E2D42F
TlsGetValue.KERNEL32(?,?,00000000), ref: 00E2D44B
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000), ref: 00E2D4BB
LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000), ref: 00E2D4D5
TlsSetValue.KERNEL32(?,00000000), ref: 00E2D506
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00E2D527
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00E2D538
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00E2D54A
__CxxThrowException@8.LIBVCRUNTIME ref: 00E2D554

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Leave$AllocLocalValue$EnterException@8H_prolog3_catchThrow
String ID:
API String ID: 2756576426-0
Opcode ID: d1dc6de80cc901a1b8dfb2384056558c293821102128dc7addaa12c45145e085
Instruction ID: 882d6f30e3232dd9401043c300c38fb891dca0341d560d0d6e0525b94822a35f
Opcode Fuzzy Hash: d1dc6de80cc901a1b8dfb2384056558c293821102128dc7addaa12c45145e085
Instruction Fuzzy Hash: 66410F70504706EFC710EF64EC85D2AB7F4FF40314B209529E629B72A2CB70AD54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E5CD34 Relevance: 15.1, APIs: 10, Instructions: 70COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E5CD4A

Part of subcall function 00E5D0F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00E5B4AC,?,?), ref: 00E5D10B
Part of subcall function 00E5D0F5: GetLastError.KERNEL32(?,?,00E5B4AC,?,?), ref: 00E5D11D

_free.LIBCMT ref: 00E5CD56
_free.LIBCMT ref: 00E5CD61
_free.LIBCMT ref: 00E5CD6C
_free.LIBCMT ref: 00E5CD77
_free.LIBCMT ref: 00E5CD82
_free.LIBCMT ref: 00E5CD8D
_free.LIBCMT ref: 00E5CD98
_free.LIBCMT ref: 00E5CDA3
_free.LIBCMT ref: 00E5CDB1

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 363f3eb1544732c4e20e3f6f0849ae4b962d8dfcc0d397ed1fa76b36858e827b
Instruction ID: 1e90475619e930880cdd9a38d1e01d20c2cb7fce3ca3e736238f9406ba299956
Opcode Fuzzy Hash: 363f3eb1544732c4e20e3f6f0849ae4b962d8dfcc0d397ed1fa76b36858e827b
Instruction Fuzzy Hash: 3F21C776904109EFCB51EFA8C885DDE7BB9AF08301F1055A6B919AB161DB32DA498B80

Uniqueness

Uniqueness Score: -1.00%

Function 00E20DF4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 143windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E20DFB

Part of subcall function 00E229B1: SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00E229EB
Part of subcall function 00E229B1: SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00E22A15
Part of subcall function 00E229B1: GetCapture.USER32 ref: 00E22A2B
Part of subcall function 00E229B1: SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 00E22A3A

GetClientRect.USER32(?,?), ref: 00E20ED4
IsMenu.USER32(?), ref: 00E20F11
AdjustWindowRectEx.USER32(?,00000000,00000000), ref: 00E20F24
GetClientRect.USER32(?,?), ref: 00E20F71

Part of subcall function 00E2D82F: __EH_prolog3.LIBCMT ref: 00E2D836

Strings

<+, xrefs: 00E20E90
,%, xrefs: 00E20E85
,+, xrefs: 00E20F4E

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: MessageRectSend$ClientH_prolog3$AdjustCaptureMenuWindow
String ID: ,%$,+$<+
API String ID: 2126229686-2836839932
Opcode ID: 25ce3459471531d6824c41c5edb3573824b51cfe7c6aa745c95e2856cf976d26
Instruction ID: 75a446053ae458541d0b544223c272414049577772770851b80e3ce76e2004f9
Opcode Fuzzy Hash: 25ce3459471531d6824c41c5edb3573824b51cfe7c6aa745c95e2856cf976d26
Instruction Fuzzy Hash: 3141CE71A00229AFDF14EFA5D945EAEBBF9EF44310F105069F905B7292DB309A40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E358BE Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 87comCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E358C8
GetStockObject.GDI32(00000011), ref: 00E358EC
GetStockObject.GDI32(0000000D), ref: 00E358FB
GetObjectW.GDI32(?,0000005C,?), ref: 00E3591C
GetDeviceCaps.GDI32(?,0000005A), ref: 00E35996
OleCreateFontIndirect.OLEAUT32(00000020,00E84984), ref: 00E359C9

Strings

, xrefs: 00E35925
t', xrefs: 00E35910

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Object$Stock$CapsCreateDeviceFontH_prolog3_Indirect
String ID: $t'
API String ID: 721287286-2338888337
Opcode ID: ba525617293cbfd01166eb1486e20501d31830f09a10136c5db5619896ec0f6a
Instruction ID: d8d936ba46c72693161742af94f4ca217d2d036ef1f584adb6e3b33ed39dfcfa
Opcode Fuzzy Hash: ba525617293cbfd01166eb1486e20501d31830f09a10136c5db5619896ec0f6a
Instruction Fuzzy Hash: 2E313B70A0026ACEDF24DFA5C859BDDBBB4BF59304F1050AAE558B7292DB709A84DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00E1FDAD Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00E1FDD3
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E1FDE3
EncodePointer.KERNEL32(00000000,?,00000000), ref: 00E1FDEC
DecodePointer.KERNEL32(00000000,?,00000000), ref: 00E1FDFA
GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00E1FE22

Strings

kernel32.dll, xrefs: 00E1FDCE
SetDefaultDllDirectories, xrefs: 00E1FDDD
\, xrefs: 00E1FE30

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Pointer$AddressDecodeDirectoryEncodeHandleModuleProcSystem
String ID: SetDefaultDllDirectories$\$kernel32.dll
API String ID: 2101061299-3881611067
Opcode ID: f46452115e2303bac8c39b41f06da675187f1e683a4d8099f4ed899e7b535008
Instruction ID: f988ffba9a109da77fe9eeba8d4f52931e7918cd7e4367f26e3348e49ec3c865
Opcode Fuzzy Hash: f46452115e2303bac8c39b41f06da675187f1e683a4d8099f4ed899e7b535008
Instruction Fuzzy Hash: 09219671E40218ABDB20EB76AC4DBEB36ECAF14754F141575F809F2162E770D9888AD1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E56F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00E3E591
GetStockObject.GDI32(0000000D), ref: 00E3E59D
GetObjectW.GDI32(00000000,0000005C,?), ref: 00E3E5AE
GetDC.USER32(00000000), ref: 00E3E5BD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E3E5D4
MulDiv.KERNEL32(?,00000048,00000000), ref: 00E3E5E0
ReleaseDC.USER32(00000000,00000000), ref: 00E3E5EC

Strings

System, xrefs: 00E3E587, 00E3E601

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 87bae969783604d51eeaa08f6551fcfc648873cbb87018f47c07043317c5532e
Instruction ID: f9ca127d0a72bb5d215f0b14aab280e27842635c5ee885a64c54cd9f7695670b
Opcode Fuzzy Hash: 87bae969783604d51eeaa08f6551fcfc648873cbb87018f47c07043317c5532e
Instruction Fuzzy Hash: EB113A71600318ABEB14EB66DC4DBAE7BB8AF55705F001019FA0ABB2D1EA609D45DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E1F5C3 Relevance: 14.0, APIs: 9, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159f4732cdc65def2ef099875dd6fb022e9ada247cfcc28423614a2ff2c177a5
Instruction ID: e7168f695deffb74af4f92310d82002044be5bcfe0c96fa3f22dc3f67b77caa7
Opcode Fuzzy Hash: 159f4732cdc65def2ef099875dd6fb022e9ada247cfcc28423614a2ff2c177a5
Instruction Fuzzy Hash: 0802AC72910619DFCB05DFA9D8849EEBBB6FF49314B208169E915BB261D730AC81CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00E40727 Relevance: 13.8, APIs: 9, Instructions: 266windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E4072E
SendMessageW.USER32(?,00000469,00000000,?), ref: 00E40830
SendMessageW.USER32(?,0000046A,?,00000000), ref: 00E40844
SendMessageW.USER32(?,00000468,?,00000000), ref: 00E40855
SendMessageW.USER32(?,00000470,00000000,00000000), ref: 00E40895
SendMessageW.USER32(?,0000046F,00000000,00000000), ref: 00E408E0
SendMessageW.USER32(?,00000473,00000000,00000001), ref: 00E40908
SendMessageW.USER32(?,0000046F,00000000), ref: 00E4098D
SendMessageW.USER32(?,00000473,00000000), ref: 00E409D3

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$H_prolog3
String ID:
API String ID: 1885053084-0
Opcode ID: eeb6b39af3c3cdf62641effcdf61158fb91d2570835fe2ec109d98be837b7904
Instruction ID: f8478d21feeb357d6c6231f776446eee90c2d572ab6820485dcdeba31f37d351
Opcode Fuzzy Hash: eeb6b39af3c3cdf62641effcdf61158fb91d2570835fe2ec109d98be837b7904
Instruction Fuzzy Hash: 30A19874A00226DFDB08DF65E984B7EB7B5BF88310F141169EA16B7392CB30AD51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E205E0 Relevance: 13.6, APIs: 9, Instructions: 121windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E205EA
SendMessageW.USER32(00000000,00000000,00000000,00000080), ref: 00E20630
SendMessageW.USER32(00000000,00000000,00000000,?), ref: 00E2065C
ValidateRect.USER32(?,00000000), ref: 00E2066B

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$H_prolog3_RectValidate
String ID:
API String ID: 3261311288-0
Opcode ID: a43f17db967a508c62248e37d3892723187d40b57f8ce9f47a95a8b3f8af5fd8
Instruction ID: 92342c83e5a94a25e7b735f1c0f1a660dc5679e497e79dd5119cacf36e773320
Opcode Fuzzy Hash: a43f17db967a508c62248e37d3892723187d40b57f8ce9f47a95a8b3f8af5fd8
Instruction Fuzzy Hash: 2B417F71A00225DFCF21AFA1EC95AAEB7F5BF88304F10552DE05AB2262DB349954DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00E5E23B Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 315COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E5E2BA

Strings

PK, xrefs: 00E5E445, 00E5E421
PK, xrefs: 00E5E251, 00E5E2A0, 00E5E2B9
PK, xrefs: 00E5E245

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _strrchr
String ID: PK$PK$PK
API String ID: 3213747228-369804076
Opcode ID: ccec5464d1c7143ef411daf9246e01527796d28af9cd5e3b800101de3bb5fcbf
Instruction ID: 18cf99d2720716d4797ea4575f6d2ede94567d554add8d03b94b573e431c6757
Opcode Fuzzy Hash: ccec5464d1c7143ef411daf9246e01527796d28af9cd5e3b800101de3bb5fcbf
Instruction Fuzzy Hash: 6FB159329003869FDB29CF18C8417AEBBE5EF45315F1899A9EC54BB341D2349F49C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2159D Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 219libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 00E215C0

Part of subcall function 00E29057: __CxxThrowException@8.LIBVCRUNTIME ref: 00E2906B

GetProcAddress.KERNEL32(00000000,GetGestureInfo), ref: 00E215F5
GetProcAddress.KERNEL32(00000000,CloseGestureInfoHandle), ref: 00E2161D
ScreenToClient.USER32(?,?), ref: 00E216A9

Strings

CloseGestureInfoHandle, xrefs: 00E2160F
user32.dll, xrefs: 00E215B6
GetGestureInfo, xrefs: 00E215E7

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$ClientException@8HandleModuleScreenThrow
String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
API String ID: 2384296010-2905070798
Opcode ID: 175b9478a28b54b8f2f44826ca53599883e4966b367524361f1e47a31daf3584
Instruction ID: 36083e6649e89aeb9a1d4d29b50892b22b88e104f5e8f223a720b11e1d706e64
Opcode Fuzzy Hash: 175b9478a28b54b8f2f44826ca53599883e4966b367524361f1e47a31daf3584
Instruction Fuzzy Hash: 79819F74A00629EFCB18DF69E8849A97BF4FB59314B1401A9E815F7760D731EE25CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00E749B0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 218COMMON

Download Yara Rule

APIs

_strstr.LIBCMT ref: 00E74A36
_strncpy.LIBCMT ref: 00E74A57

Part of subcall function 00E71660: _strstr.LIBCMT ref: 00E716B7
Part of subcall function 00E71660: _strstr.LIBCMT ref: 00E716CD

Strings

socks=%s, xrefs: 00E74BDB
, xrefs: 00E74AC0
SOCKS , xrefs: 00E74BBC
DIRECT, xrefs: 00E74B57
PROXY , xrefs: 00E74AF3

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _strstr$_strncpy
String ID: $DIRECT$PROXY $SOCKS $socks=%s
API String ID: 1902495667-4265802993
Opcode ID: 825e5b78e1910b90c9d3f047e77d95c1f7c2047e1bd2d644cf3466b0079b19bf
Instruction ID: c409422bc3404c64bb2598462afe05c134f62bb2e4693f3a14c741dacd128970
Opcode Fuzzy Hash: 825e5b78e1910b90c9d3f047e77d95c1f7c2047e1bd2d644cf3466b0079b19bf
Instruction Fuzzy Hash: FB81BEB1900259AEEF21CF64DC45FEEBBB9EB45304F049199E90D7B282E7315A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E1E3CA Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

CheckMenuItem.USER32(?,?,00000000), ref: 00E1E3F9

Part of subcall function 00E2DC0D: GetWindowTextW.USER32(?,?,00000100), ref: 00E2DC63
Part of subcall function 00E2DC0D: lstrcmpW.KERNEL32(?,00E1E507,?,00000000), ref: 00E2DC75
Part of subcall function 00E2DC0D: SetWindowTextW.USER32(?,00E1E507), ref: 00E2DC81

SendMessageW.USER32(?,00000087,00000000,00000000), ref: 00E1E414
SendMessageW.USER32(?,000000F1,?,00000000), ref: 00E1E431
SetMenuItemBitmaps.USER32(?,?,00000400,00000000,00000000), ref: 00E1E49E
SetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E1E4EE

Strings

0, xrefs: 00E1E4DD
@, xrefs: 00E1E4E4

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ItemMenu$MessageSendTextWindow$BitmapsCheckInfolstrcmp
String ID: 0$@
API String ID: 72408025-1545510068
Opcode ID: a683385f145820d57fc6f45b59a1cf7975f41567c55b43e2b7bfc09f20ba06d2
Instruction ID: 0ceef21391f717eb482877e9ce36af8bffab66fe44c3a2cef47f8a45c959e90c
Opcode Fuzzy Hash: a683385f145820d57fc6f45b59a1cf7975f41567c55b43e2b7bfc09f20ba06d2
Instruction Fuzzy Hash: 6F41CE31200225EFCB24DF65D848FEAB7B9FF04718F109629F91AB6652D771E881CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E20E65 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 111windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AB5A: GetWindowLongW.USER32(?,000000F0), ref: 00E2AB67

GetClientRect.USER32(?,?), ref: 00E20ED4
IsMenu.USER32(?), ref: 00E20F11
AdjustWindowRectEx.USER32(?,00000000,00000000), ref: 00E20F24
GetClientRect.USER32(?,?), ref: 00E20F71

Strings

<+, xrefs: 00E20E90
,%, xrefs: 00E20E85
,+, xrefs: 00E20F4E

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Rect$ClientWindow$AdjustLongMenu
String ID: ,%$,+$<+
API String ID: 3435883281-2836839932
Opcode ID: 9f09028ca1ab32dcf35c96e04596cf651ee694e3ba813145ffaff099dc06a979
Instruction ID: f5ef74039e152f0ee3cd6f5325a57fa8d71e41d5e71ae1ffaa2bbec35460d1aa
Opcode Fuzzy Hash: 9f09028ca1ab32dcf35c96e04596cf651ee694e3ba813145ffaff099dc06a979
Instruction Fuzzy Hash: 92317071A00229AFDB14EFA5D949EBFBBF9EF48710B145069E905F3281DB709E00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E21087 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00E210A7
FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 00E210DF
SizeofResource.KERNEL32(?,00000000), ref: 00E210F1
LoadResource.KERNEL32(?,?), ref: 00E210FE
LockResource.KERNEL32(00000000), ref: 00E2110B
FreeResource.KERNEL32(00000000), ref: 00E21130

Strings

AFX_DIALOG_LAYOUT, xrefs: 00E210D0

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeofWindow
String ID: AFX_DIALOG_LAYOUT
API String ID: 4180966417-2436846380
Opcode ID: 90fc7e0eb91e811aa69752c22c538c0763956e9ee1385a287a4fc73162d6e18f
Instruction ID: 15be07667ec8764eaa5b077bfe7758700999268bc2160c9f22f6af512f23e518
Opcode Fuzzy Hash: 90fc7e0eb91e811aa69752c22c538c0763956e9ee1385a287a4fc73162d6e18f
Instruction Fuzzy Hash: D021E731A01314AFDB51AFB9AC4876E77F8AF58704F0440B8E604F3221EB708E54C750

Uniqueness

Uniqueness Score: -1.00%

Function 00E3A2AC Relevance: 12.3, APIs: 8, Instructions: 272windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00E3A2EC
GetDesktopWindow.USER32 ref: 00E3A31A
GetWindowRect.USER32(?,?), ref: 00E3A32D
GetWindowRect.USER32(?,?), ref: 00E3A33A

Part of subcall function 00E2AE75: MoveWindow.USER32(?,?,?,?,?,?,?,?,00E023E7,?,?,?,?,?), ref: 00E2AE92

Part of subcall function 00E2B152: ShowWindow.USER32(?,000003E8,?,?,00E027E3,000003E8,00000005), ref: 00E2B163

IntersectRect.USER32(?,?,?), ref: 00E3A544
EqualRect.USER32(?,?), ref: 00E3A54F
IsRectEmpty.USER32(?), ref: 00E3A559
InvalidateRect.USER32(?,?,?,?,00000000), ref: 00E3A576

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: RectWindow$DesktopEmptyEqualIntersectInvalidateMoveShowVisible
String ID:
API String ID: 3589585919-0
Opcode ID: a56476d8dcb4629b3596c9d00fd50a1c3b8769104dad375dde57823e772bed9d
Instruction ID: d02a88d55c6b809f809394891945d6c0e9c79b7c6823afb9d66a3d76abe012f7
Opcode Fuzzy Hash: a56476d8dcb4629b3596c9d00fd50a1c3b8769104dad375dde57823e772bed9d
Instruction Fuzzy Hash: 45A14E71A00219DFCB04DFA9D988EAEBBB9FF48700F145169E545FB261DB70AD40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E641BC Relevance: 12.2, APIs: 8, Instructions: 202COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E642BF
_free.LIBCMT ref: 00E642EC

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 348cd7c930924d7461c81781c78ef67f21221e740160ec6fc4ff7190cc050a62
Instruction ID: ff4c78c7714e6b51f64d32e61d4a8f1e0c751b65867da656a968fd4859ffe40e
Opcode Fuzzy Hash: 348cd7c930924d7461c81781c78ef67f21221e740160ec6fc4ff7190cc050a62
Instruction Fuzzy Hash: 865109B09C4305AFDB20AFB5BC81AAE77F4AF01398F145569F920B73D2EA319945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E2DCEC Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

RealChildWindowFromPoint.USER32(?,?,?), ref: 00E2DD10
ClientToScreen.USER32(?,?), ref: 00E2DD2B
GetWindow.USER32(?,00000005), ref: 00E2DD34
GetDlgCtrlID.USER32(00000000), ref: 00E2DD44
GetWindowLongW.USER32(00000000,000000F0), ref: 00E2DD54
GetWindowRect.USER32(00000000,?), ref: 00E2DD72
PtInRect.USER32(?,?,?), ref: 00E2DD82
GetWindow.USER32(00000000,00000002), ref: 00E2DD91

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Window$Rect$ChildClientCtrlFromLongPointRealScreen
String ID:
API String ID: 151369081-0
Opcode ID: e3a204492458decf62103bfb8b5567c7c93db289909c541d0163f3ea37c5b513
Instruction ID: a103a6ac8959a31995e676de0dd5d5f9c5d75d4d0b79fb5cb4f7ba410bbedc20
Opcode Fuzzy Hash: e3a204492458decf62103bfb8b5567c7c93db289909c541d0163f3ea37c5b513
Instruction Fuzzy Hash: 9921747190152AAFCB11DFB9DC489EFBBB8EF45310B144229F905F3251DB349A458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E03EE2 Relevance: 12.1, APIs: 8, Instructions: 68windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(?,?,00000001,00000000,00000000,00008000), ref: 00E03F0C
LoadImageW.USER32(?,?,00000001,00000000,00000000,00008000), ref: 00E03F22

Part of subcall function 00E0373F: DestroyIcon.USER32(?,?,?,00E0320B,00000000,?,00000000,?,?,00E01F4B,00000066,?,00000004,00E01701), ref: 00E03756

GetIconInfo.USER32(?,?), ref: 00E03F39
GetObjectW.GDI32(?,00000018,?), ref: 00E03F48
CopyImage.USER32(?,00000001,?,?,00008000), ref: 00E03F5C
DeleteObject.GDI32(?), ref: 00E03F83
DeleteObject.GDI32(?), ref: 00E03F88
InvalidateRect.USER32(?,00000000,00000001,00000001), ref: 00E03F91

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ImageObject$DeleteIconLoad$CopyDestroyInfoInvalidateRect
String ID:
API String ID: 2045126027-0
Opcode ID: 17d81dffde3e1e57ad115cb5f17447107d60b381936ab4f9777a6e4143b50aa0
Instruction ID: 515e5bd8fcbd8c57a1558b51b9712b363258c88da054fdf6976601e84a288bc9
Opcode Fuzzy Hash: 17d81dffde3e1e57ad115cb5f17447107d60b381936ab4f9777a6e4143b50aa0
Instruction Fuzzy Hash: 4E212171A40218BFDF119FA5DC45FDD7BB9EF08710F144056FA08BA1D1D7B1A9849BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E03B35 Relevance: 12.1, APIs: 8, Instructions: 65windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E03B4D
GetParent.USER32(?), ref: 00E03B56
PostMessageW.USER32(?,00000202,?,?), ref: 00E03B7B
ClientToScreen.USER32(?,?), ref: 00E03B92
GetParent.USER32(?), ref: 00E03B9B
PostMessageW.USER32(?,00000202,?,?), ref: 00E03BC0
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E03BE6
InvalidateRect.USER32(?,00000000,00000001), ref: 00E03BF2

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Message$ClientParentPostScreen$InvalidateRectSend
String ID:
API String ID: 4027511905-0
Opcode ID: 24d75f38618c575801256309bdaeed1bd2b9f89ebe856f19d6190249227accf4
Instruction ID: b28b941475ec1c8e0709465693e6ec78d10d7f9db4334b805fa92b4cf22d22e6
Opcode Fuzzy Hash: 24d75f38618c575801256309bdaeed1bd2b9f89ebe856f19d6190249227accf4
Instruction Fuzzy Hash: C9219371100224EFEB119F65DC08DAA7FB9FF84701B008529F59A950B2D7719894DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E26189 Relevance: 12.1, APIs: 8, Instructions: 60memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(00000000), ref: 00E2619D
lstrcmpW.KERNEL32(00000000,?), ref: 00E261AE
OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 00E261C3
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00E261E3
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00E261EB
GlobalLock.KERNEL32(00000000), ref: 00E261F5
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00E26206
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00E2621E

Part of subcall function 00E2DBDA: GlobalFlags.KERNEL32(?), ref: 00E2DBE7
Part of subcall function 00E2DBDA: GlobalUnlock.KERNEL32(?,?,?,?,00E25C72,00000000,904898A6), ref: 00E2DBF5
Part of subcall function 00E2DBDA: GlobalFree.KERNEL32(?), ref: 00E2DC01

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 493c5c0bec43ccbffe1dbe459fc25fd773ce54a75563766a5db1b7e61185d1f1
Instruction ID: c4d2f3fbc844bba59a586b99e07a6825181679a3219c4e1c1d0384ceb62372a8
Opcode Fuzzy Hash: 493c5c0bec43ccbffe1dbe459fc25fd773ce54a75563766a5db1b7e61185d1f1
Instruction Fuzzy Hash: F51151B2400A18FFEB22AFA5ED85EAA7EECEF04748B001559B605A5032D771DD50DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E2672B Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 272COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E267D2
CoCreateGuid.OLE32(?,00000000,00000000,00000030), ref: 00E2682F
SysFreeString.OLEAUT32(?), ref: 00E26A25

Strings

4J, xrefs: 00E2681F
RestartByRestartManager, xrefs: 00E268A7, 00E268AC, 00E268B4
%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 00E2687F

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CreateFreeGuidH_prolog3_String
String ID: %08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$4J$RestartByRestartManager
API String ID: 1084067465-914482400
Opcode ID: 4090f7558313ef5cb73b1cd4992c9bf9bafd57569d9c40b8c983fc8c1163ae8d
Instruction ID: 1b5a10f77a6a39ab996140819681f8be97ec6a582e0ca9402d7bd2c86efb9bfd
Opcode Fuzzy Hash: 4090f7558313ef5cb73b1cd4992c9bf9bafd57569d9c40b8c983fc8c1163ae8d
Instruction Fuzzy Hash: 18A19C71A00219AFCB04EFA8EC95EFEB7B9BF49310F145169F505B7292DA34AD44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E6B717 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00E6B9ED,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00E6B7C3
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00E6B9ED,00000000,00000000,?,00000001,?,?,?,?), ref: 00E6B846
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00E6B9ED,?,00E6B9ED,00000000,00000000,?,00000001,?,?,?,?), ref: 00E6B8D6
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E6B9ED,00000000,00000000,?,00000001,?,?,?,?), ref: 00E6B8ED

Part of subcall function 00E5DEBD: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E1D9AD,?,?,?,?,00E013BB,?), ref: 00E5DEEF

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00E6B9ED,00000000,00000000,?,00000001,?,?,?,?), ref: 00E6B969
__freea.LIBCMT ref: 00E6B994
__freea.LIBCMT ref: 00E6B9A0

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: c7a2648ff363300d3ccd7ec7690f1966e9e75ef49de0baf06cc19f840b808286
Instruction ID: 76f18573541972978b5c0783edf21fa09c545e4fac6f7aaa2ad5345347f9b384
Opcode Fuzzy Hash: c7a2648ff363300d3ccd7ec7690f1966e9e75ef49de0baf06cc19f840b808286
Instruction Fuzzy Hash: 2191D672E802169EDF249E64EC81AEE7BF59F89794F14261AE905F7241D734DCC0C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E283F8 Relevance: 10.8, APIs: 7, Instructions: 265memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E28402
MapDialogRect.USER32(?,00000000), ref: 00E284A9
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00E284CF
CLSIDFromString.OLE32(?,?,00000000), ref: 00E285DC
CLSIDFromProgID.OLE32(?,?,00000000), ref: 00E285E4
SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,?,00000000,00000378,00000000), ref: 00E2868F
SysFreeString.OLEAUT32(00000000), ref: 00E286E5

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prolog3_ProgRectWindow
String ID:
API String ID: 773032744-0
Opcode ID: 6e0d4e7130cd54ea535a68a494b90e8006be7f33be18bd27072e148ca732a9bd
Instruction ID: 91217d38495a4061b1aec194d37f4859fca9ed0987c8a447bae6152e833efa97
Opcode Fuzzy Hash: 6e0d4e7130cd54ea535a68a494b90e8006be7f33be18bd27072e148ca732a9bd
Instruction Fuzzy Hash: 20B11475E012299FDB14DFA8C984AEDBBF5FF48310F14416AE819EB381EB30A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E64A48 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E64AB7
_free.LIBCMT ref: 00E64AC5
_free.LIBCMT ref: 00E64BF3
_free.LIBCMT ref: 00E64BFE

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f212c3640c4a9f1d2a4d1af9a3bfc1544e325f91e0e1d45665645be5f6831edb
Instruction ID: dd7bb31f397767791b35d77d07fe1024ec4c92626daa7ddf241fda234de11698
Opcode Fuzzy Hash: f212c3640c4a9f1d2a4d1af9a3bfc1544e325f91e0e1d45665645be5f6831edb
Instruction Fuzzy Hash: D461D4B1D44205EFDB20DF68E841B9ABBF5EF49790F14156AE844FB381EB70AD418B50

Uniqueness

Uniqueness Score: -1.00%

Function 00E04F40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00E04FA8
std::_Lockit::_Lockit.LIBCPMT ref: 00E04FC7
std::_Lockit::~_Lockit.LIBCPMT ref: 00E04FE7
std::_Facet_Register.LIBCPMT ref: 00E05079
std::_Lockit::~_Lockit.LIBCPMT ref: 00E05091

Strings

9, xrefs: 00E04FA1, 00E0508E

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: 9
API String ID: 459529453-2455714165
Opcode ID: 799c04b4d94ff5be069f55826bfb595ffb7feaaafae5a3a4d9bd2fc881447a3c
Instruction ID: 1745764dcee9f7ed695a7385d5fff624dd1b506665eb53addea04b032ffeec67
Opcode Fuzzy Hash: 799c04b4d94ff5be069f55826bfb595ffb7feaaafae5a3a4d9bd2fc881447a3c
Instruction Fuzzy Hash: DA61DD72A00645CFDB11CFA8C884BAEBBF4EF59304F159059E506BB392DB70AD84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E5FD9A Relevance: 10.7, APIs: 7, Instructions: 162fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00E0EC8E,00E0EC8E,?,?,?,?,?,?,?,00E60526,00E4F84C,00E0EC8E,00E0EC8E,?,004BEC50), ref: 00E5FDDC
__fassign.LIBCMT ref: 00E5FE5B
__fassign.LIBCMT ref: 00E5FE7A
WideCharToMultiByte.KERNEL32(?,00000000,00E0EC8E,00000001,00E0EC8E,00000005,00000000,00000000), ref: 00E5FEA7
WriteFile.KERNEL32(?,00E0EC8E,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00E60526), ref: 00E5FEC7
WriteFile.KERNEL32(?,00E4F84C,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00E60526), ref: 00E5FF01

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d2b51e9102623b1697ff383c9a27b8a24d38d7a6483294e33ae65def2cddbc2c
Instruction ID: 1681740f83fa93bde57a7a80d9f3fc8f4b3489a43e428408298858eeac5a3e70
Opcode Fuzzy Hash: d2b51e9102623b1697ff383c9a27b8a24d38d7a6483294e33ae65def2cddbc2c
Instruction Fuzzy Hash: B0519171E00249AFCF10CFA8D885AEEBBF8EF09311F14556AE955F7292D730A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E3C700 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E3C707
VariantClear.OLEAUT32(?), ref: 00E3C80B

Part of subcall function 00E3C190: __EH_prolog3_GS.LIBCMT ref: 00E3C197
Part of subcall function 00E3C190: VariantClear.OLEAUT32(?), ref: 00E3C37B
Part of subcall function 00E3C190: VariantClear.OLEAUT32(?), ref: 00E3C58F

Part of subcall function 00E3DFC8: VariantCopy.OLEAUT32(?,?), ref: 00E3DFD7

VariantClear.OLEAUT32(?), ref: 00E3C7B3
SysFreeString.OLEAUT32(00000000), ref: 00E3C871
SysFreeString.OLEAUT32(00000000), ref: 00E3C880
SysFreeString.OLEAUT32(00000000), ref: 00E3C88F
VariantClear.OLEAUT32(?), ref: 00E3C8A9

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$FreeString$CopyH_prolog3H_prolog3_
String ID:
API String ID: 3189293932-0
Opcode ID: 2b43b2ab10b640deb0735be0c1f50e69cfacd26bceefe75c3d186449b95794e1
Instruction ID: daf7d80bda5a1bbb7dbc0b025392e0fbdd71bbf89a8506a98212c3c9fd1e1512
Opcode Fuzzy Hash: 2b43b2ab10b640deb0735be0c1f50e69cfacd26bceefe75c3d186449b95794e1
Instruction Fuzzy Hash: 9E513A71E00219DFDB18DFA4D889B9DBBB4FF08304F24516AE519B7291DB70A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E276EF Relevance: 10.6, APIs: 7, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: cd8d53bbba84c818d1da35741a094da0037f6287181f1c08c6e5fb5b0ee25dd3
Instruction ID: ccef126f572cab6acdae70f7bb1ef6c86fd754b44a4af3dfe6b90d4ad347388d
Opcode Fuzzy Hash: cd8d53bbba84c818d1da35741a094da0037f6287181f1c08c6e5fb5b0ee25dd3
Instruction Fuzzy Hash: 5E313735301621AFDB225735AC4CEBEBBAAAF84755F192035F505B7252DF148E41C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00E05E40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 00E05EEF
__Getcvt.LIBCPMT ref: 00E05F10
Concurrency::cancel_current_task.LIBCPMT ref: 00E05FC5
Concurrency::cancel_current_task.LIBCPMT ref: 00E05FCA

Strings

true, xrefs: 00E05F69
false, xrefs: 00E05F33

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_taskGetcvt
String ID: false$true
API String ID: 2176591428-2658103896
Opcode ID: f1a997098f0453d77e9d1515baf2a2e80e9c851d5590cdf7bb1fe3350e810d91
Instruction ID: 721410e4dbcbd978391afbe5dccb3b78cb4e34fd2ac4fb9058416bf73355c783
Opcode Fuzzy Hash: f1a997098f0453d77e9d1515baf2a2e80e9c851d5590cdf7bb1fe3350e810d91
Instruction Fuzzy Hash: 3D41D572A007058FDF14DFA4C9417ABBBF8EF44304F1491ADEA18BB282DBB5D9458B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E27303 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E2730D
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 00E273FE
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 00E2741B
RegCloseKey.ADVAPI32(?), ref: 00E2743C
RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 00E27457

Strings

Software\, xrefs: 00E27378

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 92f2cd1906a4c2786c25629e3376613111cea0808552e74869bd9ff33e2f9f4f
Instruction ID: 195987e3231634483253488902f54a2ad8073c15ea6896c836f2ab2a0b7c59e4
Opcode Fuzzy Hash: 92f2cd1906a4c2786c25629e3376613111cea0808552e74869bd9ff33e2f9f4f
Instruction Fuzzy Hash: 36416131901139ABCF20EB90EC88EEEB7B9BF49314F105199F558B2251DB349E85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E2D9F8 Relevance: 10.6, APIs: 7, Instructions: 118windowthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2D94D: GetParent.USER32(?), ref: 00E2D9AA
Part of subcall function 00E2D94D: GetLastActivePopup.USER32(?), ref: 00E2D9BD
Part of subcall function 00E2D94D: IsWindowEnabled.USER32(?), ref: 00E2D9D1
Part of subcall function 00E2D94D: EnableWindow.USER32(?,00000000), ref: 00E2D9E4

EnableWindow.USER32(?,00000001), ref: 00E2DA43
GetWindowThreadProcessId.USER32(?,?), ref: 00E2DA59
GetCurrentProcessId.KERNEL32 ref: 00E2DA63
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 00E2DA79
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00E2DAFC
MessageBoxW.USER32(?,?,?,00E291FA), ref: 00E2DB1E
EnableWindow.USER32(00000000,00000001), ref: 00E2DB43

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Window$Enable$MessageProcess$ActiveCurrentEnabledFileLastModuleNameParentPopupSendThread
String ID:
API String ID: 1924968399-0
Opcode ID: ae6ffae355b7cd6fc447997b64ed34b4b11f81f80816b86c8839643a29b195ef
Instruction ID: ac9579c112270a054d5bf76c9f6a0f101373fa4de2ee6cb9b98214c459a8c154
Opcode Fuzzy Hash: ae6ffae355b7cd6fc447997b64ed34b4b11f81f80816b86c8839643a29b195ef
Instruction Fuzzy Hash: 1E419FB5A4822C9FDB20DF65DC88BE9B3B8FF14704F1015A9E619F7281D7709E808B60

Uniqueness

Uniqueness Score: -1.00%

Function 00E47BD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E47BFB
___except_validate_context_record.LIBVCRUNTIME ref: 00E47C03
_ValidateLocalCookies.LIBCMT ref: 00E47C91
__IsNonwritableInCurrentImage.LIBCMT ref: 00E47CBC
_ValidateLocalCookies.LIBCMT ref: 00E47D11

Strings

csm, xrefs: 00E47CA6

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 217541d8b9408687770573b6350633219f66cf1e6baf9d7fef7349022152ef6f
Instruction ID: 55488c76f7070f4502aa0bceafb701fcb084fd57be161e9af2428e6bf1c51bbc
Opcode Fuzzy Hash: 217541d8b9408687770573b6350633219f66cf1e6baf9d7fef7349022152ef6f
Instruction Fuzzy Hash: 0D41D874E042099BCF00DF68E884A9EBBF5EF49328F149155E858BB392D7319D05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00E26FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00E26FF3
RegOpenKeyExW.ADVAPI32(?,00000010,00000000,0002001F,?,00000230), ref: 00E270A5

Part of subcall function 00E26F85: __EH_prolog3.LIBCMT ref: 00E26F8C

RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 00E270C9
RegCloseKey.ADVAPI32(?), ref: 00E27194

Strings

Software\Classes\, xrefs: 00E2704B

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CloseEnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 854624316-1121929649
Opcode ID: ecffce8340ab961093c81e65d13c184f742a656b644a7b8460be517dc764525e
Instruction ID: c52a71d1747223d6c3ca02122d2400332d0e923fa1534d57537991186652d62f
Opcode Fuzzy Hash: ecffce8340ab961093c81e65d13c184f742a656b644a7b8460be517dc764525e
Instruction Fuzzy Hash: 45419E31905229EBDB21EBA4ED89BEDB7B8BF44300F2010D9E44977291DB349F84CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00E21E27 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 00E21E52
GetProcAddress.KERNEL32(00000000,GetTouchInputInfo), ref: 00E21E87
GetProcAddress.KERNEL32(00000000,CloseTouchInputHandle), ref: 00E21EAF

Strings

GetTouchInputInfo, xrefs: 00E21E79
CloseTouchInputHandle, xrefs: 00E21EA1
user32.dll, xrefs: 00E21E48

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CloseTouchInputHandle$GetTouchInputInfo$user32.dll
API String ID: 667068680-1853737257
Opcode ID: 135f5474881c811a5ba3e9620e43171c564a6deac2edbe1ff42db51765269c44
Instruction ID: 5019a669c193d8913a619fad48a6cde4f592fc5500dc68d4b7eb839166173d62
Opcode Fuzzy Hash: 135f5474881c811a5ba3e9620e43171c564a6deac2edbe1ff42db51765269c44
Instruction Fuzzy Hash: 0E31B734B00211AFDB249F6AFD0896A3BA5FF5A7567001479F90AF7261DB30AD08CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E60AED Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57a6b27cd2060aaef605babf9c5f3a8168a4b5f46a948466b94a51a887c95b7
Instruction ID: 210798ce29d1999c43bb05002c245f2c08978ed6532a570e31180a9d6a70cbb5
Opcode Fuzzy Hash: a57a6b27cd2060aaef605babf9c5f3a8168a4b5f46a948466b94a51a887c95b7
Instruction Fuzzy Hash: 5A11D231544225BFDB206FB6AC08DAB3AE8EFC13A8B105528F855F6291DA3088009670

Uniqueness

Uniqueness Score: -1.00%

Function 00E27795 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 00E277D0
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00E277FC
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00E27828
RegCloseKey.ADVAPI32(00000000), ref: 00E2783A
RegCloseKey.ADVAPI32(00000000), ref: 00E27849

Part of subcall function 00E2729F: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00E272B0
Part of subcall function 00E2729F: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00E272C0

Strings

software, xrefs: 00E277B9

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreate$AddressHandleModuleOpenProc
String ID: software
API String ID: 550756860-2010147023
Opcode ID: 937a8573d8c435f0edf5aa3728ef3e4b3001d80b7d657b43030a3e177be924eb
Instruction ID: 4ed9ac96bf25bcbea0b527199b871b3b72df98cfdfc70b178609e3db0febd853
Opcode Fuzzy Hash: 937a8573d8c435f0edf5aa3728ef3e4b3001d80b7d657b43030a3e177be924eb
Instruction Fuzzy Hash: 4C216A72A04128BFDB19DB90AC48EBFBB7DEB04705F10506AB805F2111D7708E44D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00E22C94 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 71libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,user32.dll), ref: 00E22CA5
GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 00E22CB7
GetProcAddress.KERNEL32(00000000,UnregisterTouchWindow), ref: 00E22CC5

Strings

RegisterTouchWindow, xrefs: 00E22CB1
UnregisterTouchWindow, xrefs: 00E22CBD
user32.dll, xrefs: 00E22C9C

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
API String ID: 667068680-2470269259
Opcode ID: 4cfd2bebd6b86fabe0753db83e92ed17dd999ad6bc9e665c2d79173707d81a51
Instruction ID: d6c60840270b003faee9ed1ab14ea3937b35df8a37de660ff906befa292089f0
Opcode Fuzzy Hash: 4cfd2bebd6b86fabe0753db83e92ed17dd999ad6bc9e665c2d79173707d81a51
Instruction Fuzzy Hash: D811E632300624BFD710AB66EC48A6EF7ACFF44765B00512BFA09B7611CB70AC4587E0

Uniqueness

Uniqueness Score: -1.00%

Function 00E5CF9F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00E4EA47,00E5D11B,?,?,00E5B4AC,?,?), ref: 00E5CFA4
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E5B4AC,?,?), ref: 00E5CFCA
_free.LIBCMT ref: 00E5D00A
_free.LIBCMT ref: 00E5D03D
SetLastError.KERNEL32(00000000,?), ref: 00E5D04A

Strings

Pn, xrefs: 00E5D031

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$_free
String ID: Pn
API String ID: 3170660625-1375425085
Opcode ID: 62c54659c361ef225f802cef8455ff88eee0c12a8e2c8af5da142aa7f1c9ee0a
Instruction ID: 95c9e6a85857344d667daa77430ba03d7c18574a82dccc48cc6503297a14af73
Opcode Fuzzy Hash: 62c54659c361ef225f802cef8455ff88eee0c12a8e2c8af5da142aa7f1c9ee0a
Instruction Fuzzy Hash: D411C6362482006F87316735AC85C6F22EB9B9A377B352E15FD34B21E1DE61CD1E6161

Uniqueness

Uniqueness Score: -1.00%

Function 00E5CE4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E54CF3,00E9D440,00000010), ref: 00E5CE52
_free.LIBCMT ref: 00E5CEA9
_free.LIBCMT ref: 00E5CEDD
SetLastError.KERNEL32(00000000), ref: 00E5CEEA
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E54CF3,00E9D440,00000010), ref: 00E5CEF6

Strings

Pn, xrefs: 00E5CED0

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$_free
String ID: Pn
API String ID: 3170660625-1375425085
Opcode ID: 42176172446cd74a0da67a8dfebb6d1bbbbe96b680f2b7f4c186d47206e20cb2
Instruction ID: d4a3ddf71d55aa53981c2d01d5421be67e3b52963c6b0e27fd36ce9dabcadaaf
Opcode Fuzzy Hash: 42176172446cd74a0da67a8dfebb6d1bbbbe96b680f2b7f4c186d47206e20cb2
Instruction Fuzzy Hash: CD11E5351442016EC7317335EC5AD7F22AA9BAB777F342E15FD34B21E1EE21881E6121

Uniqueness

Uniqueness Score: -1.00%

Function 00E64F1E Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E64C64: _free.LIBCMT ref: 00E64C8D

_free.LIBCMT ref: 00E64F6C

Part of subcall function 00E5D0F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00E5B4AC,?,?), ref: 00E5D10B
Part of subcall function 00E5D0F5: GetLastError.KERNEL32(?,?,00E5B4AC,?,?), ref: 00E5D11D

_free.LIBCMT ref: 00E64F77
_free.LIBCMT ref: 00E64F82
_free.LIBCMT ref: 00E64FD6
_free.LIBCMT ref: 00E64FE1
_free.LIBCMT ref: 00E64FEC
_free.LIBCMT ref: 00E64FF7

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f775ad679ef64de4d42467409bf44ad96d34863621b3dc23410eb0229fc732d6
Instruction ID: 6c66d8de6d91e99834e9f06a677c63f8baccd1240b7f7b240c41f5cb68f94cfe
Opcode Fuzzy Hash: f775ad679ef64de4d42467409bf44ad96d34863621b3dc23410eb0229fc732d6
Instruction Fuzzy Hash: 091181B1581B04AAE530B7B0DC8BFCBB7DD5F44740F40AC15B6A9762D2DE24B5098658

Uniqueness

Uniqueness Score: -1.00%

Function 00E03A8C Relevance: 10.6, APIs: 7, Instructions: 52windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E03AA2
GetParent.USER32(?), ref: 00E03AAB
PostMessageW.USER32(?,00000201,?,?), ref: 00E03AD0
ClientToScreen.USER32(?,?), ref: 00E03AE8
GetParent.USER32(?), ref: 00E03AF1
PostMessageW.USER32(?,00000201,?,?), ref: 00E03B16
InvalidateRect.USER32(?,00000000,00000001), ref: 00E03B2A

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ClientMessageParentPostScreen$InvalidateRect
String ID:
API String ID: 640176750-0
Opcode ID: 1926c4e1db33bb45722cd60ce3b49173feda067768aa93905edc1174a4afc922
Instruction ID: 05ce8217a935121f2bd60e80461533ca50ff59412d9ddfcd5d71aef85bb00fff
Opcode Fuzzy Hash: 1926c4e1db33bb45722cd60ce3b49173feda067768aa93905edc1174a4afc922
Instruction Fuzzy Hash: 30112171110224EFEF119F71DC08EAA7BB9FF48711F008919F59A650B2D7759994DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E19C80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50registrynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E16680: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,00E016A1,TMSetupWindow,?,00000200,?,?,?,?,00E75578,000000FF), ref: 00E1669A

RegCreateKeyW.ADVAPI32(?,?,?), ref: 00E19CC2
RegCloseKey.ADVAPI32(?,?,?,?), ref: 00E19CD0
WSAGetLastError.WS2_32(?,?,?), ref: 00E19CDA

Strings

RegCreateKeyEx() failed. iErrorCode = %d, Error = %s, sKey = %s, xrefs: 00E19CEE
RegistryHandler::AddRegistryKey(), xrefs: 00E19CFF
c:\rhub2\code\utility\registryhandler.cpp, xrefs: 00E19CF8

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharCloseCreateErrorLastMultiWide
String ID: RegCreateKeyEx() failed. iErrorCode = %d, Error = %s, sKey = %s$RegistryHandler::AddRegistryKey()$c:\rhub2\code\utility\registryhandler.cpp
API String ID: 4090531696-2747358197
Opcode ID: 955a27969c7cfe0431758c7e443fa09311194d8cbc2b687768fe515bc5caef9c
Instruction ID: f90cd60095397e8d6c70fb96f406f14ee2fbf9df0e4b96ec7c26eb9e180f1a2e
Opcode Fuzzy Hash: 955a27969c7cfe0431758c7e443fa09311194d8cbc2b687768fe515bc5caef9c
Instruction Fuzzy Hash: B50192B6504300AFD660AB11EC46FEB77E8EF95700F005429FA4DB2192E770698A87A6

Uniqueness

Uniqueness Score: -1.00%

Function 00E2FAE7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00E26A7A,?,?,?,?), ref: 00E2FAF9
GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 00E2FB09
EncodePointer.KERNEL32(00000000,?,?,00E26A7A,?,?,?,?), ref: 00E2FB12
DecodePointer.KERNEL32(00000000,?,?,00E26A7A,?,?,?,?), ref: 00E2FB20

Strings

kernel32.dll, xrefs: 00E2FAF4
RegisterApplicationRecoveryCallback, xrefs: 00E2FB03

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: RegisterApplicationRecoveryCallback$kernel32.dll
API String ID: 2061474489-202725706
Opcode ID: f6411516631719fc42c60c5b9caaba302b4cf21c55ca219276b5bda34a3207c1
Instruction ID: 18e0e33bae56f562379412e636119c96d1d23779688f5284f42d0798731da380
Opcode Fuzzy Hash: f6411516631719fc42c60c5b9caaba302b4cf21c55ca219276b5bda34a3207c1
Instruction Fuzzy Hash: 6CF01D31601225AF8F119FA6FE1899A7BB8EF087457001035FD0DB6231DB30D8548B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E2FBAB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(shell32.dll), ref: 00E2FBBD
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00E2FBCD
EncodePointer.KERNEL32(00000000), ref: 00E2FBD6
DecodePointer.KERNEL32(00000000), ref: 00E2FBE4

Strings

SHGetKnownFolderPath, xrefs: 00E2FBC7
shell32.dll, xrefs: 00E2FBB8

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: SHGetKnownFolderPath$shell32.dll
API String ID: 2061474489-2936008475
Opcode ID: 40c71be5beb8df5521772ca118006b0833e567f4cf560e55a906f246841fb0d8
Instruction ID: 67a580059527ef11e444d69edd585ea885d62c6dcb9c97fe1714b659b711de5a
Opcode Fuzzy Hash: 40c71be5beb8df5521772ca118006b0833e567f4cf560e55a906f246841fb0d8
Instruction Fuzzy Hash: DCF0303164422ABF8B11AFA2FD08CAA7AB8BF087417045138FD0EF6271DB7198558B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E2FC10 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(comctl32.dll), ref: 00E2FC22
GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 00E2FC32
EncodePointer.KERNEL32(00000000), ref: 00E2FC3B
DecodePointer.KERNEL32(00000000), ref: 00E2FC49

Strings

comctl32.dll, xrefs: 00E2FC1D
TaskDialogIndirect, xrefs: 00E2FC2C

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: TaskDialogIndirect$comctl32.dll
API String ID: 2061474489-2809879075
Opcode ID: 8c4bedd681dc0178c20c317db9c4df36d6f443c8d9254750dc2f5c4d4c6bb7cc
Instruction ID: 26ae4e47fc512bc6398b7c96545bfc75550094b4cf6a15cb8a39c044dfd2c745
Opcode Fuzzy Hash: 8c4bedd681dc0178c20c317db9c4df36d6f443c8d9254750dc2f5c4d4c6bb7cc
Instruction Fuzzy Hash: A5F03031500229BF9F11AF62BD09C997BB8AF087417005034FD0EF6271D731D8549BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E2FB4C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00E26A5E,?,?), ref: 00E2FB5E
GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 00E2FB6E
EncodePointer.KERNEL32(00000000,?,?,00E26A5E,?,?), ref: 00E2FB77
DecodePointer.KERNEL32(00000000,?,?,00E26A5E,?,?), ref: 00E2FB85

Strings

RegisterApplicationRestart, xrefs: 00E2FB68
kernel32.dll, xrefs: 00E2FB59

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: RegisterApplicationRestart$kernel32.dll
API String ID: 2061474489-1259503209
Opcode ID: 1bf04e690a07b21b64a0ae345e8b2aab20b3db78b73732cd2a46e14a59a8f784
Instruction ID: f0bdc2b103fcaa83758da11bec9342ea01101d5616f2485a91f49d1a25113ec3
Opcode Fuzzy Hash: 1bf04e690a07b21b64a0ae345e8b2aab20b3db78b73732cd2a46e14a59a8f784
Instruction Fuzzy Hash: B0F08C31601229BF8B10AB72FC1CCA93BB8AF48B953045135FD0EFA231DB30C9448B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E2F7BF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00E26040,00000000), ref: 00E2F7D1
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 00E2F7E1
EncodePointer.KERNEL32(00000000,?,?,00E26040,00000000), ref: 00E2F7EA
DecodePointer.KERNEL32(00000000,?,?,00E26040,00000000), ref: 00E2F7F8

Strings

kernel32.dll, xrefs: 00E2F7CC
ApplicationRecoveryInProgress, xrefs: 00E2F7DB

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: ApplicationRecoveryInProgress$kernel32.dll
API String ID: 2061474489-2899047487
Opcode ID: 3a5f3198179937d33f3bc8bf76f059cb4cc8a2ad200f4c2502a41da29265872b
Instruction ID: 07683cde84ebe59e71eb5f047781db5fdeb62ef296fe6b14ced9a74f667f4bda
Opcode Fuzzy Hash: 3a5f3198179937d33f3bc8bf76f059cb4cc8a2ad200f4c2502a41da29265872b
Instruction Fuzzy Hash: 69F0A731A00325AF9B18ABB2BC0C96A7BBCAF04B453145134FD0DF7272DB30D9448790

Uniqueness

Uniqueness Score: -1.00%

Function 00E2F76A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00E26083,00000001), ref: 00E2F77C
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 00E2F78C
EncodePointer.KERNEL32(00000000,?,00E26083,00000001), ref: 00E2F795
DecodePointer.KERNEL32(00000000,?,?,00E26083,00000001), ref: 00E2F7A3

Strings

ApplicationRecoveryFinished, xrefs: 00E2F786
kernel32.dll, xrefs: 00E2F777

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: ApplicationRecoveryFinished$kernel32.dll
API String ID: 2061474489-1962646049
Opcode ID: b31064b26eb4392d7d376903495e195daa9f09d49897e1c8deab92ffc2af9896
Instruction ID: c411196367c736772d763c5574c90d4eae0ff381538509d66c911bd290b847ba
Opcode Fuzzy Hash: b31064b26eb4392d7d376903495e195daa9f09d49897e1c8deab92ffc2af9896
Instruction Fuzzy Hash: 0FF03032611325AF8B10ABB6FC0885A3BACAF05B863015075FD0EF2262DB20DD458A90

Uniqueness

Uniqueness Score: -1.00%

Function 00E2FA9C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(comctl32.dll), ref: 00E2FAAB
GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 00E2FABB
EncodePointer.KERNEL32(00000000), ref: 00E2FAC4
DecodePointer.KERNEL32(00000000), ref: 00E2FAD2

Strings

comctl32.dll, xrefs: 00E2FAA6
TaskDialogIndirect, xrefs: 00E2FAB5

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: TaskDialogIndirect$comctl32.dll
API String ID: 2061474489-2809879075
Opcode ID: ff572629ee0c8619705f50387f22bd411ba677e78d5241b24bc02fdbb7316c64
Instruction ID: d312284fcfa09e183f604d926809ac51092cbd1726d9c70140ba12d993de9d44
Opcode Fuzzy Hash: ff572629ee0c8619705f50387f22bd411ba677e78d5241b24bc02fdbb7316c64
Instruction Fuzzy Hash: 92E04871A45771AFAB10FB727D0899637E8EF057453051574F80EF2161E730CC4586A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2E007 Relevance: 10.5, APIs: 7, Instructions: 25COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00E2E00C
GetSysColor.USER32(00000010), ref: 00E2E017
GetSysColor.USER32(00000014), ref: 00E2E022
GetSysColor.USER32(00000012), ref: 00E2E02D
GetSysColor.USER32(00000006), ref: 00E2E038
GetSysColorBrush.USER32(0000000F), ref: 00E2E043
GetSysColorBrush.USER32(00000006), ref: 00E2E04E

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 564ad3d10acac501e554a8cbc8f1d05006d098bf47eff72638980dd38fed9078
Instruction ID: 112145710e837a4f2b4619bc70a43b390fe8b683f0d1c227c7176a5c46d58522
Opcode Fuzzy Hash: 564ad3d10acac501e554a8cbc8f1d05006d098bf47eff72638980dd38fed9078
Instruction Fuzzy Hash: 82F09EB19507109FE721EFB2A94D7867AA0BF08711F000D19E34E9B992D77590C4DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00E56096 Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00E56223
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E5623F
__allrem.LIBCMT ref: 00E56256
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E56274
__allrem.LIBCMT ref: 00E5628B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E562A9

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 4e5e403073922fd89b04acce72c3119d95467152bb764d8ed283d26fa2542c62
Instruction ID: 6c77994ff8f5ff8d5d254fd44a8d7cdd40d97c447b6fa9e1f703b1c6cb968abb
Opcode Fuzzy Hash: 4e5e403073922fd89b04acce72c3119d95467152bb764d8ed283d26fa2542c62
Instruction Fuzzy Hash: 59813A72A00B06ABE7249E68DC41B6A73F8EF40365F54692DF944F7691EBB0DD088750

Uniqueness

Uniqueness Score: -1.00%

Function 00E5ADE4 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E5CE4E: GetLastError.KERNEL32(?,?,00E54CF3,00E9D440,00000010), ref: 00E5CE52
Part of subcall function 00E5CE4E: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E54CF3,00E9D440,00000010), ref: 00E5CEF6

_memcmp.LIBVCRUNTIME ref: 00E5B08E
_free.LIBCMT ref: 00E5B0FF
_free.LIBCMT ref: 00E5B118
_free.LIBCMT ref: 00E5B14A
_free.LIBCMT ref: 00E5B153
_free.LIBCMT ref: 00E5B15F

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: 7927de618c0b416d00f099b3fa160f38b884c1feab561912626301e91c40cd7e
Instruction ID: 013202353c5d350995565563e3548af337a0114cd5322475bc6700f115539e35
Opcode Fuzzy Hash: 7927de618c0b416d00f099b3fa160f38b884c1feab561912626301e91c40cd7e
Instruction Fuzzy Hash: AFB14F75A01219DFDB24DF18C889AAEB7B4FF08305F5459AAD909B7390EB31AD94CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00E670B7 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,00000000,7FFFFFFF,?,?,?,?,00E672FD,00000001,00000001,00000000), ref: 00E67111
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,00000000,?,?,?,00E672FD,00000001,00000001,00000000,-00000001,?,?), ref: 00E6718F
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,-00000001,00000000,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E67286
__freea.LIBCMT ref: 00E67293

Part of subcall function 00E5DEBD: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E1D9AD,?,?,?,?,00E013BB,?), ref: 00E5DEEF

__freea.LIBCMT ref: 00E6729C
__freea.LIBCMT ref: 00E672C1

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 088fb0da701014ef347b84d0d7a2a3756e87aa6a22745bc9fb5c06ed99fae76a
Instruction ID: 13fe0c55180cb299ba3c8327162a9e884dfba965eaf8dc201501f1dad3c2d288
Opcode Fuzzy Hash: 088fb0da701014ef347b84d0d7a2a3756e87aa6a22745bc9fb5c06ed99fae76a
Instruction Fuzzy Hash: 775123B2644206AFEB248F65EC41EBF37E9EB81798F185A29FC44F6150EB34DC448660

Uniqueness

Uniqueness Score: -1.00%

Function 00E04010 Relevance: 9.1, APIs: 6, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00E04043
std::_Lockit::_Lockit.LIBCPMT ref: 00E04065
std::_Lockit::~_Lockit.LIBCPMT ref: 00E04085
__Getctype.LIBCPMT ref: 00E0412C
std::_Facet_Register.LIBCPMT ref: 00E04155
std::_Lockit::~_Lockit.LIBCPMT ref: 00E0416D

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: b38af2e151845a29b94f387a0f7fa96af74273fde5845373c094e850fa0b8038
Instruction ID: 0f98f75ffc4e4ae6bef2f0693bc96639c297ee5b92626ad962f7561d86cb6cfb
Opcode Fuzzy Hash: b38af2e151845a29b94f387a0f7fa96af74273fde5845373c094e850fa0b8038
Instruction Fuzzy Hash: F841DDF1A00614CFCB11DF94E980BAAB7F4EF55714F149169EA06BB2C2DB70AD85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E3DCA3 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E3DCB9
GetWindow.USER32(?,00000002), ref: 00E3DCDB
GetWindow.USER32(?,00000002), ref: 00E3DCF0
GetWindowLongW.USER32(?,000000EC), ref: 00E3DD03
IsWindowVisible.USER32(?), ref: 00E3DD19
GetTopWindow.USER32(?), ref: 00E3DD43

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: ee2363d1dad49e8dbf0a49a66d3eafa1eeb23dad8bc5734b18c078294a296012
Instruction ID: dea9115d951d3a9dc6cc5fe90db6da08d00396c6e4ab758e7489615c41d3fc44
Opcode Fuzzy Hash: ee2363d1dad49e8dbf0a49a66d3eafa1eeb23dad8bc5734b18c078294a296012
Instruction Fuzzy Hash: BE217132908624ABDF326B35EC0DBAEBEA9BF84754F452614BC46B7172D760DC50C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2D94D Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00E2D985
GetParent.USER32(?), ref: 00E2D993
GetParent.USER32(?), ref: 00E2D9AA
GetLastActivePopup.USER32(?), ref: 00E2D9BD
IsWindowEnabled.USER32(?), ref: 00E2D9D1
EnableWindow.USER32(?,00000000), ref: 00E2D9E4

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 05edc3b79a21cda1f5dae76039dc8e78baee9589b21c863c86d1285568a110bf
Instruction ID: 0b54b6e455141d397017817f543e6c19b230aa5bb22f3161324ef22ae48b45f7
Opcode Fuzzy Hash: 05edc3b79a21cda1f5dae76039dc8e78baee9589b21c863c86d1285568a110bf
Instruction Fuzzy Hash: 41110B326092305BD7225F26BC847ABB2AC6FD5B58B156115FE08F7251D7A0CCC087E0

Uniqueness

Uniqueness Score: -1.00%

Function 00E491A4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E4919B,00E465C5), ref: 00E491B2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E491C0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E491D9
SetLastError.KERNEL32(00000000,?,00E4919B,00E465C5), ref: 00E4922B

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: cdfea079bcc2fa1d6cd9486b4235873cf3a879b5c8ced6bb79b953aea59a11ec
Instruction ID: 4b0bad9d48059f13f1b047df41d3f4840dfc66312593af718f685c89bb29aee9
Opcode Fuzzy Hash: cdfea079bcc2fa1d6cd9486b4235873cf3a879b5c8ced6bb79b953aea59a11ec
Instruction Fuzzy Hash: D001473220D2123EAB242B75BC8986B3A94EB1B339339123AF520753F3FF520C089154

Uniqueness

Uniqueness Score: -1.00%

Function 00E21933 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 215windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2D29E: __EH_prolog3.LIBCMT ref: 00E2D2A5

SendMessageW.USER32(?,00000433,00000000,?), ref: 00E21B0B
GetWindowLongW.USER32(?,000000FC), ref: 00E21B16
GetWindowLongW.USER32(?,000000FC), ref: 00E21B2A
SetWindowLongW.USER32(?,000000FC,00000000), ref: 00E21B53

Strings

,, xrefs: 00E21AF3

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow$H_prolog3MessageSend
String ID: ,
API String ID: 4140968126-3772416878
Opcode ID: 33a94942e05fc58ca2ec7fce1fa0da7410e55f0cc2ebc8e89714b54eb3e659c0
Instruction ID: 222ce8f2b3b1923dd0eb5a6439ca068861fc4c68093ae8c007d8afbab61ecff8
Opcode Fuzzy Hash: 33a94942e05fc58ca2ec7fce1fa0da7410e55f0cc2ebc8e89714b54eb3e659c0
Instruction Fuzzy Hash: 0571A171700225AFCB15AF75E895A6D7BF5BF98310B0411A9E945BB292EB30EE40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E31035 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E3103C
_wcsrchr.LIBVCRUNTIME ref: 00E3105D
CoCreateGuid.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,00000028), ref: 00E31097

Strings

%08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X, xrefs: 00E310E7
4J, xrefs: 00E31080

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CreateGuidH_prolog3__wcsrchr
String ID: %08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X$4J
API String ID: 1226536641-1768582390
Opcode ID: 0b46f618f87e83f62db93b8f06ad794118fbdc1ba9563c1eef3d46c8b948789e
Instruction ID: 14329ed12bc7dbe5c4b8c732a9416d42f4be8229685cf172d980f8cc1bb470bd
Opcode Fuzzy Hash: 0b46f618f87e83f62db93b8f06ad794118fbdc1ba9563c1eef3d46c8b948789e
Instruction Fuzzy Hash: 5E41D0B1900159AFCB05EBA8CC55AFEBBF8AF49311F141069F555F7282CA789E44CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00E33D5E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E33D65
__CxxThrowException@8.LIBVCRUNTIME ref: 00E33D9B
__EH_prolog3_catch.LIBCMT ref: 00E33DA8

Part of subcall function 00E33CD9: __EH_prolog3.LIBCMT ref: 00E33CE0

Strings

tG, xrefs: 00E33DB9
tG, xrefs: 00E33D92, 00E33D9A

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3$Exception@8H_prolog3_catchThrow
String ID: tG$tG
API String ID: 24280941-276734821
Opcode ID: ffeac092064d486add30960b30637f64207795e5b14875193f57bb41ada60a06
Instruction ID: 33100789b2552c7b6d06150f20437e88eaad1101002bfbda77bb668a5c24ef66
Opcode Fuzzy Hash: ffeac092064d486add30960b30637f64207795e5b14875193f57bb41ada60a06
Instruction Fuzzy Hash: 9F31847190120AABDF14EFB4CC46BEEBBE8AF00314F105928F511B72D2DB749A50C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2BDA7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

Edit, xrefs: 00E2BDFE

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 4fe797aab532ddfdc205b8bb995e067f49ae526db5ab2f6a65f6906d784a530d
Instruction ID: 12f00aa3e6a67098b8ded13c74e4cfc6c11ba69197026161a3f7da2add45bd1f
Opcode Fuzzy Hash: 4fe797aab532ddfdc205b8bb995e067f49ae526db5ab2f6a65f6906d784a530d
Instruction Fuzzy Hash: 7411A531300225ABEA311F35BC09BF677A8AF54759F156429E646F20A1DB60D840D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2F23D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E2F244
GetClassNameW.USER32(?,00000000,00000400), ref: 00E2F27B
GetWindowLongW.USER32(?,000000F0), ref: 00E2F2B4

Strings

ComboBox, xrefs: 00E2F28E
ComboBoxEx32, xrefs: 00E2F29F

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ClassH_prolog3LongNameWindow
String ID: ComboBox$ComboBoxEx32
API String ID: 297531199-1907415764
Opcode ID: 31229c7d76762db59d439197e02617ac94984b1a9ca720eebe839845bc41b305
Instruction ID: 7812538a959a578c7755d094d1db144e651b167fbc1c675be1dbf17e55488d81
Opcode Fuzzy Hash: 31229c7d76762db59d439197e02617ac94984b1a9ca720eebe839845bc41b305
Instruction Fuzzy Hash: 5501C476504222ABDB00F760DC06BEE73F8BF21325F502529F911721E2DF305944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E553CE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00E553E3

Strings

.com, xrefs: 00E55423
.bat, xrefs: 00E55412
.cmd, xrefs: 00E55401
.exe, xrefs: 00E553F0

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: b608ef2730227f46cd9f390ffb1cb4ba35b288134ea2c8e7d9b615ce5e880007
Instruction ID: 87591ea807792b2d555eecc52138162003f3433caa5d16b8b7078404de91bfd8
Opcode Fuzzy Hash: b608ef2730227f46cd9f390ffb1cb4ba35b288134ea2c8e7d9b615ce5e880007
Instruction Fuzzy Hash: 17F0C23328AF122599243220BC22ADA17C88F22377FE17816FC2C764E5EE4199C942A4

Uniqueness

Uniqueness Score: -1.00%

Function 00E3327B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E3328E
GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 00E3329E
CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00E332E7

Strings

CreateFileTransactedW, xrefs: 00E33298
kernel32.dll, xrefs: 00E33289

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-2053874626
Opcode ID: a5f8355767f2d7777f98404c3d3719f31016ad1dd914778fa508f890868a530d
Instruction ID: 3c0cd929cab8c622c9c02005bc9dd572bf1cf7dd5dbd47de1f443188a9b312a1
Opcode Fuzzy Hash: a5f8355767f2d7777f98404c3d3719f31016ad1dd914778fa508f890868a530d
Instruction Fuzzy Hash: 5101483610020ABFCF125FA1DC09CAB3F7AFF98795B148129FA1861074C732C961EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E17FC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00E17E5F,?,?,?,?,?,?,?,00E47BD0,00E9A838,000000FE), ref: 00E17FD1
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00E17FEA
wsprintfW.USER32 ref: 00E18031

Strings

%d/%d/%d %02d:%02d:%02d, xrefs: 00E1802B
_~, xrefs: 00E17FF9, 00E1801D, 00E18029, 00E1802A

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Time$File$DateLocalwsprintf
String ID: %d/%d/%d %02d:%02d:%02d$_~
API String ID: 3193010481-2688097607
Opcode ID: 50dbdf10b228c529a74023e3e7aace5ae31ad470af2b5edeb22c723c52bc04c5
Instruction ID: 45f71a4cc260df2d6acbf5525c49ab502c47dea3f5bf2352fc764f4adf68d917
Opcode Fuzzy Hash: 50dbdf10b228c529a74023e3e7aace5ae31ad470af2b5edeb22c723c52bc04c5
Instruction Fuzzy Hash: 0501F4F36102157FE308CB59CC01ABB73ECEFD8340B04842EF949E6241E634D98483A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E30F1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00E30F47
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E30F57

Part of subcall function 00E27240: GetModuleHandleW.KERNEL32(Advapi32.dll,?), ref: 00E27253
Part of subcall function 00E27240: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00E27263

Strings

Advapi32.dll, xrefs: 00E30F42
RegDeleteKeyExW, xrefs: 00E30F51

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 1646373207-2191092095
Opcode ID: a0347afb477403574bd9067ea3e1401df80ba89525672acb869f81d23b6b7234
Instruction ID: 9a5bbb3e9a0a911d9c5344b9abe3f83f02ad8ebb83230ab1edbff789ea42db9c
Opcode Fuzzy Hash: a0347afb477403574bd9067ea3e1401df80ba89525672acb869f81d23b6b7234
Instruction Fuzzy Hash: 89015A35709214EFCB225F66EC18B99BF65BF0DB51F145025F909B2171CBA2A864EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E4FE3E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E4FDEF,?,?,00E4FDB7,?,?), ref: 00E4FE5E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E4FE71
FreeLibrary.KERNEL32(00000000,?,?,?,00E4FDEF,?,?,00E4FDB7,?,?), ref: 00E4FE94

Strings

mscoree.dll, xrefs: 00E4FE57
CorExitProcess, xrefs: 00E4FE69

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5c4a22598d22cbae65a15ba431fba3f560f3b49011dc86cd42d51a7e2baebe75
Instruction ID: 8264e77b4761a5beba381b1f2703808cc8ab1a8f18bb25cfac17203c2ac0f0b3
Opcode Fuzzy Hash: 5c4a22598d22cbae65a15ba431fba3f560f3b49011dc86cd42d51a7e2baebe75
Instruction Fuzzy Hash: 41F04430A00209BFDB15AF65EC09BAEBBB4EF48B26F510164F80DB21A1DB319D85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E5B61D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00E5B681: _free.LIBCMT ref: 00E5B6A1

_free.LIBCMT ref: 00E5B637

Part of subcall function 00E5D0F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00E5B4AC,?,?), ref: 00E5D10B
Part of subcall function 00E5D0F5: GetLastError.KERNEL32(?,?,00E5B4AC,?,?), ref: 00E5D11D

_free.LIBCMT ref: 00E5B64A
_free.LIBCMT ref: 00E5B65B
_free.LIBCMT ref: 00E5B66C

Strings

xxH, xrefs: 00E5B624

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: xxH
API String ID: 776569668-977459878
Opcode ID: 21b09a562c642d60b2d46ab2f97574e8357db21bdde32080ce6b23a0557b76d3
Instruction ID: b6bae32bf66db089e7af4aae4a2d4bc65238b5b0e758f0081b378c4e3971662b
Opcode Fuzzy Hash: 21b09a562c642d60b2d46ab2f97574e8357db21bdde32080ce6b23a0557b76d3
Instruction Fuzzy Hash: 8CF030708152116E8625BF16FD8E84B7BE5E744751B101706F80832272DF72261EDBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3C190 Relevance: 7.9, APIs: 5, Instructions: 393COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E3C197
VariantClear.OLEAUT32(?), ref: 00E3C37B
VariantClear.OLEAUT32(?), ref: 00E3C56B
VariantClear.OLEAUT32(?), ref: 00E3C58F
GetDC.USER32(?), ref: 00E3C5C2

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ClearVariant$H_prolog3_
String ID:
API String ID: 2346260723-0
Opcode ID: 004870f63d29da54d3954989af97bad6a883fd716b63b0bf8d19d7ca11bff229
Instruction ID: bb7ff1b256494280ab686d74154d9354d6607e9747e7b5a919e8bedab41f20aa
Opcode Fuzzy Hash: 004870f63d29da54d3954989af97bad6a883fd716b63b0bf8d19d7ca11bff229
Instruction Fuzzy Hash: A5D10570D05208EACF04DBA4D999AFEBFB9FF05304F24A08AF541B7291DB359A84D761

Uniqueness

Uniqueness Score: -1.00%

Function 00E40C9C Relevance: 7.8, APIs: 5, Instructions: 281COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00E40CA3
_strlen.LIBCMT ref: 00E40CD4

Part of subcall function 00E28FEB: _memcpy_s.LIBCMT ref: 00E28FFA

Part of subcall function 00E412C5: __EH_prolog3.LIBCMT ref: 00E412CC
Part of subcall function 00E412C5: VariantChangeType.OLEAUT32(?,?,00000000,0000000D), ref: 00E4136C

VariantClear.OLEAUT32(?), ref: 00E40EE3

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ChangeClearH_prolog3H_prolog3_catch_Type_memcpy_s_strlen
String ID:
API String ID: 961710286-0
Opcode ID: cd76e7677394016166ea2243c365a99420fd0cea24ee40fab17c74cc0cf176ea
Instruction ID: 4fc939b0874d57db1802b32d709bad021ac27f800e43b14e9c79109e9de7c6f3
Opcode Fuzzy Hash: cd76e7677394016166ea2243c365a99420fd0cea24ee40fab17c74cc0cf176ea
Instruction Fuzzy Hash: B0B18C71E00219EBCF10EFA4E8809EEBBB0FF08314F149469F915BB251D735A956DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E6758F Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a3ed1333cbc8d23417e18b5e2d3a77f0936df37a0e8a649f11a5d49cb2d8e5
Instruction ID: d8eb40e908a8dad2627d6fa9cc3d7f8f67f95ae974989dbd9ea69faba2e6468b
Opcode Fuzzy Hash: 33a3ed1333cbc8d23417e18b5e2d3a77f0936df37a0e8a649f11a5d49cb2d8e5
Instruction Fuzzy Hash: FA71E7319482169FCB21CF55E844ABFBB75FF513ADF24622AE4A077281D770AC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E5A966 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E5DEBD: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E1D9AD,?,?,?,?,00E013BB,?), ref: 00E5DEEF

_free.LIBCMT ref: 00E5AA71
_free.LIBCMT ref: 00E5AA88
_free.LIBCMT ref: 00E5AAA7
_free.LIBCMT ref: 00E5AAC2
_free.LIBCMT ref: 00E5AAD9

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 031285b2b0ee209a23350fd5a0b2224f5a23374682b228c02a0d99baf3d7a316
Instruction ID: f82dd99e21075ffc367802220cc95c5605764e5dfba73784660d619aaf0ae631
Opcode Fuzzy Hash: 031285b2b0ee209a23350fd5a0b2224f5a23374682b228c02a0d99baf3d7a316
Instruction Fuzzy Hash: 0651C131A00204AFDB21DF29CD41A6A77F5EF58726F581A69EC09F7291EB31ED09CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00E5B28D Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E5B2FF
_free.LIBCMT ref: 00E5B31F

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0aaa4d6d83505fce6bf6b5684aa7945069e8b6d235f96a55a7cb71f0f549419d
Instruction ID: 766e1a60195fe7ceb942efdeed0912ace8ca3a5ebf9d50782cf109168add0393
Opcode Fuzzy Hash: 0aaa4d6d83505fce6bf6b5684aa7945069e8b6d235f96a55a7cb71f0f549419d
Instruction Fuzzy Hash: EE41D132A00204DFCB24DF78C885A5EB7E6EF89714F255968E905FB291DB71AD05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E41137 Relevance: 7.6, APIs: 5, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000010), ref: 00E411AD
SysAllocString.OLEAUT32(00000010), ref: 00E411D5
SysAllocString.OLEAUT32(00000000), ref: 00E411FA
SysAllocString.OLEAUT32(00000000), ref: 00E4122E
SysAllocString.OLEAUT32(00000000), ref: 00E41267

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: f5d72009b28a0a7afc792ae765ea30c241f11ad9a9ece60524d73e8b533b5acf
Instruction ID: 616688d6417d48d1d4c7984499ba63394178d832e394081e254b1348038f824d
Opcode Fuzzy Hash: f5d72009b28a0a7afc792ae765ea30c241f11ad9a9ece60524d73e8b533b5acf
Instruction Fuzzy Hash: FF415D75A00315AFCB14EF64DC89AA9B3B4BF04310F105699E965B72E2DF70E994CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E04190 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00E041BD
std::_Lockit::_Lockit.LIBCPMT ref: 00E041E0
std::_Lockit::~_Lockit.LIBCPMT ref: 00E04200
std::_Facet_Register.LIBCPMT ref: 00E04265
std::_Lockit::~_Lockit.LIBCPMT ref: 00E0427D

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: ef62ec5b8a82e80dc5958a3011b20e22b0e9a1733eb9e600fa5ca97c613afdf1
Instruction ID: 855595ae55b7f431f165817240c73b8e67f28f4c69a89cc632141ad332fee9be
Opcode Fuzzy Hash: ef62ec5b8a82e80dc5958a3011b20e22b0e9a1733eb9e600fa5ca97c613afdf1
Instruction Fuzzy Hash: 9B3122B2A00115DFCB20CF84E944A6EB7B4EB19324F115169EA157B3E2D730BD89CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00E640E9 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E640F2
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E64115

Part of subcall function 00E5DEBD: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E1D9AD,?,?,?,?,00E013BB,?), ref: 00E5DEEF

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E6413B
_free.LIBCMT ref: 00E6414E
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E6415D

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: d7f6cb69bd959d1da6a7d79682af3283e6a6d345103f0b54036b7f344d1b9efc
Instruction ID: 839036aa4687469739851728451e544f4f262abb830891a54b022b5504e00d5a
Opcode Fuzzy Hash: d7f6cb69bd959d1da6a7d79682af3283e6a6d345103f0b54036b7f344d1b9efc
Instruction Fuzzy Hash: F901B1E26426197F63315A6A6C8CCBB6A7DDED3BE43151129FD18E7281DE608C4282B0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2C0E7 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?), ref: 00E2C0F6
GetDeviceCaps.GDI32(?,00000058), ref: 00E2C13E
GetDeviceCaps.GDI32(?,0000005A), ref: 00E2C14B

Part of subcall function 00E29E36: MulDiv.KERNEL32(?,00000000,00000000), ref: 00E29E6F
Part of subcall function 00E29E36: MulDiv.KERNEL32(?,00000000,00000000), ref: 00E29E90

MulDiv.KERNEL32(?,00000060,000009EC), ref: 00E2C16D
MulDiv.KERNEL32(?,00000060,000009EC), ref: 00E2C17A

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 92af04a20c6f0d46afb14929870584dd60314b22126bb1a898f5f61e1fbec0c6
Instruction ID: 793b2b20b1b72965d999c0843ca9fc027a8f8d6f53fc58557f3b4234ccf1b00d
Opcode Fuzzy Hash: 92af04a20c6f0d46afb14929870584dd60314b22126bb1a898f5f61e1fbec0c6
Instruction Fuzzy Hash: CE11E775201210BFCB119F62EC4882DBBB9FF49751B240415FD0973362DB316C52DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E27E25 Relevance: 7.6, APIs: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(00000000,?), ref: 00E27E48
RegDeleteValueW.ADVAPI32(00000000,?,?,00000000), ref: 00E27E66
RegCloseKey.ADVAPI32(00000000), ref: 00E27E99

Part of subcall function 00E27795: RegCloseKey.ADVAPI32(00000000), ref: 00E2783A
Part of subcall function 00E27795: RegCloseKey.ADVAPI32(00000000), ref: 00E27849

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00E27EB4

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Close$Delete$PrivateProfileStringValueWrite
String ID:
API String ID: 1330817964-0
Opcode ID: 2309236e7f8fc4457e556d3e60ba5b379d98ef43468c0728b7df542d710f84e6
Instruction ID: df2f2fbd50f368aed6941275345cb56ec1a3acd5ac380e5acedde70c37420540
Opcode Fuzzy Hash: 2309236e7f8fc4457e556d3e60ba5b379d98ef43468c0728b7df542d710f84e6
Instruction Fuzzy Hash: F0119A32418235EBCF225F60AC04EAF3B6ABF84751F125469F945B9021DB31CC5197B0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2BF13 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?), ref: 00E2BF22
GetDeviceCaps.GDI32(?,00000058), ref: 00E2BF6A
GetDeviceCaps.GDI32(?,0000005A), ref: 00E2BF77

Part of subcall function 00E29BE3: MulDiv.KERNEL32(?,00000000,00000000), ref: 00E29C1C
Part of subcall function 00E29BE3: MulDiv.KERNEL32(?,00000000,00000000), ref: 00E29C3D

MulDiv.KERNEL32(?,000009EC,00000060), ref: 00E2BF99
MulDiv.KERNEL32(?,000009EC,00000060), ref: 00E2BFA6

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 69ec205901f2bcb91d364347ad868bcd68f2e9b62313848cd58b2260192cd45a
Instruction ID: ec256af626acd4a6902b3050989951c83b737e359586f101aebdc3ddab0beb59
Opcode Fuzzy Hash: 69ec205901f2bcb91d364347ad868bcd68f2e9b62313848cd58b2260192cd45a
Instruction Fuzzy Hash: 5111E33A600214AFDB019F62ED4882DBBA9FF893217140015FD0AB7362CB31AC91DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E332F9 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E33300
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000008), ref: 00E33334
GetCurrentProcess.KERNEL32(?,00000000), ref: 00E3333E
DuplicateHandle.KERNEL32(00000000), ref: 00E33345
GetLastError.KERNEL32(?), ref: 00E33369

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorH_prolog3HandleLast
String ID:
API String ID: 2082106130-0
Opcode ID: 993f31e5f601961ac5e746b21c20367fa1973cd8b4701db86a879410940f2d83
Instruction ID: f4ca441718cd924ecdaddfd262e0ce0b12c1e47cbe65a7ff30c10afa974242a9
Opcode Fuzzy Hash: 993f31e5f601961ac5e746b21c20367fa1973cd8b4701db86a879410940f2d83
Instruction Fuzzy Hash: E8115771A01205AFCB00DFB5D849A6EBFB5BF48710F199158F919EB292EB30DD40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E649DF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E649F7

Part of subcall function 00E5D0F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00E5B4AC,?,?), ref: 00E5D10B
Part of subcall function 00E5D0F5: GetLastError.KERNEL32(?,?,00E5B4AC,?,?), ref: 00E5D11D

_free.LIBCMT ref: 00E64A09
_free.LIBCMT ref: 00E64A1B
_free.LIBCMT ref: 00E64A2D
_free.LIBCMT ref: 00E64A3F

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 28d3f57e098654a061b40eeb2c904477e71f495c0e4b0f80186409cdbbf44e4e
Instruction ID: 5394637177e0d678e787bbde329007ab489533ee75ddf9c3ebd2dae45cb1239b
Opcode Fuzzy Hash: 28d3f57e098654a061b40eeb2c904477e71f495c0e4b0f80186409cdbbf44e4e
Instruction Fuzzy Hash: F3F03C72688201AF8670EB99F8C9C1A77EAAB45795B682C05F408F7580DF30FC858654

Uniqueness

Uniqueness Score: -1.00%

Function 00E39B02 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 329memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E39B0C
CoTaskMemAlloc.OLE32(?,?,00000000), ref: 00E39C87
CoTaskMemFree.OLE32(?), ref: 00E39EDF

Strings

, xrefs: 00E39D40

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Task$AllocFreeH_prolog3_
String ID:
API String ID: 1458175711-3916222277
Opcode ID: 1d5bd6cbb252bdb43f65753432c5c218c83415184def660d319821c9ac1a2c58
Instruction ID: f606c967531e0533918d0861d3229498ea643e8707ed1daa3aa7b9273e34270c
Opcode Fuzzy Hash: 1d5bd6cbb252bdb43f65753432c5c218c83415184def660d319821c9ac1a2c58
Instruction Fuzzy Hash: 54D13770A006199FDB28DF6AC998A99BBF4FF48304F20516DE50AE7392CB71AD45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E3188A Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E31891

Strings

, xrefs: 00E31A73, 00E31A78, 00E31A80, 00E31AB1, 00E31AB9
,, xrefs: 00E318FC
,, xrefs: 00E31A35

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3
String ID: $ ,$ ,
API String ID: 431132790-2940328001
Opcode ID: a366958981b95e10d2e95f8c3e57e296bd8e45f9891f1a6fcd541e96c7b2432e
Instruction ID: cfa71880d1a8e49ce97980d6a563e22698d0a1bc351d525a132aaaca120ee450
Opcode Fuzzy Hash: a366958981b95e10d2e95f8c3e57e296bd8e45f9891f1a6fcd541e96c7b2432e
Instruction Fuzzy Hash: 33917C7180111AAADB15FBA0CC96AFFB7BCAF10304F142569E512B71D2DF74AE44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E73730 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 256COMMON

Download Yara Rule

APIs

_strstr.LIBCMT ref: 00E737C9

Strings

</__SERVER_ACCESS_SETTING1__>, xrefs: 00E73A19
<__SERVER_ACCESS_SETTING1__>, xrefs: 00E73A1E
%s%d%s%c%s%s, xrefs: 00E737B2

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _strstr
String ID: %s%d%s%c%s%s$</__SERVER_ACCESS_SETTING1__>$<__SERVER_ACCESS_SETTING1__>
API String ID: 2882301372-896595307
Opcode ID: a22f14a04401f800cad03de7c3a2fe358fd8696627e1f08982d73efb1f4bc9e7
Instruction ID: 4881b33c23d60ac4021b1eb842616da966957bd5e14c19a86a4f2dc27078deb8
Opcode Fuzzy Hash: a22f14a04401f800cad03de7c3a2fe358fd8696627e1f08982d73efb1f4bc9e7
Instruction Fuzzy Hash: 19913671A002999BDB24CB24CC557EEBBB6EF85304F049198E98DBB381C7B55FC48B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E596D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe, xrefs: 00E59716, 00E5971D, 00E59751

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe
API String ID: 0-1330334843
Opcode ID: 461865d8b18a2dde4edd7605a869543d946f12c83a5ca1e4e91ab4792724adc9
Instruction ID: b90e9b6c766aad61b7b88d2d4c648fdc405f2ac7221ef724911c80ffc6695202
Opcode Fuzzy Hash: 461865d8b18a2dde4edd7605a869543d946f12c83a5ca1e4e91ab4792724adc9
Instruction Fuzzy Hash: 2D41A071A00214EFCB21DF9ADC859DFBBF8EB89311B201567E804B7252E7705E48CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E39F25 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32(?,?,?,?,?,?,?,00E37939,00000000,?,00000000,00000002), ref: 00E39FF1
CoTaskMemFree.OLE32(9y,?,?,?,?,?,?,00E37939,00000000,?,00000000,00000002), ref: 00E39FFE

Strings

9y, xrefs: 00E39F91, 00E39FBD, 00E39FF7, 00E39F97, 00E39FFD
DP, xrefs: 00E39F89

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: FreeTask
String ID: 9y$DP
API String ID: 734271698-393712294
Opcode ID: d8c84f6cc1fe91b70bf0d9cfe42f60cea93e536b7f9d0def6c698d5500f6dda4
Instruction ID: 30a74f93d9fc3fdc9a5340ac5ef1dd4ba4fd88ef84ac20236c3e69b4d9176def
Opcode Fuzzy Hash: d8c84f6cc1fe91b70bf0d9cfe42f60cea93e536b7f9d0def6c698d5500f6dda4
Instruction Fuzzy Hash: A63139B6A002199FCB08CF98D9949EEBBF5EF8C314F155029E906B7340DB71AD45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E1E6B9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 00E1E6CF
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00E1E7BB
LoadBitmapW.USER32(00000000,00007FE3), ref: 00E1E7D3

Strings

8, xrefs: 00E1E76A

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID: 8
API String ID: 2596413745-1581818123
Opcode ID: b28489cf8cbec76bb5cb830571213bfb6a38ee44fa83403dd62df7799cc8d63b
Instruction ID: 5d9a527546ac9e1b798e8e46d353d3dafb100bebd94039bd4e1e075ab6ae289b
Opcode Fuzzy Hash: b28489cf8cbec76bb5cb830571213bfb6a38ee44fa83403dd62df7799cc8d63b
Instruction Fuzzy Hash: D631D671E0021A9FEB24DF29DC85BEDB7B4FB84315F0041AAE549F7281DB70AAC58B50

Uniqueness

Uniqueness Score: -1.00%

Function 00E3EDFD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E3EE04
__CxxThrowException@8.LIBVCRUNTIME ref: 00E3EE3D
__EH_prolog3.LIBCMT ref: 00E3EE4A

Part of subcall function 00E32F39: __EH_prolog3.LIBCMT ref: 00E32F40

Strings

/, xrefs: 00E3EEB6, 00E3EEBE, 00E3EEC4

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: /
API String ID: 2489616738-3878498614
Opcode ID: 5a4762281f7522b134998a936f25c2acd761c44ae21dd0b3633e76a818f5c8eb
Instruction ID: fcbc34ebf4607a97110af1ea0294ab1dd827aefe10203b638cf5bc386bd41ab2
Opcode Fuzzy Hash: 5a4762281f7522b134998a936f25c2acd761c44ae21dd0b3633e76a818f5c8eb
Instruction Fuzzy Hash: 0931707190120AABDF14EFA4CC49BAE7BB8BF04314F145968F521B72D1DB70DA50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E12230 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00E16680: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,00E016A1,TMSetupWindow,?,00000200,?,?,?,?,00E75578,000000FF), ref: 00E1669A

__fread_nolock.LIBCMT ref: 00E122C3

Strings

c:\rhub2\code\utility\utility.cpp, xrefs: 00E122E9
Failed to open sFileName %s, xrefs: 00E122DF
Utility::GetFileData(), xrefs: 00E122F0

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide__fread_nolock
String ID: Failed to open sFileName %s$Utility::GetFileData()$c:\rhub2\code\utility\utility.cpp
API String ID: 3992567027-3580890932
Opcode ID: 3245998776c900498a86ef36d470a496392d368d4c56fccc4f886d8f5b4acbb7
Instruction ID: e2de889927c48e6e9a9b6a2794f8464118a54fd1af8716a5ea98884bd261553d
Opcode Fuzzy Hash: 3245998776c900498a86ef36d470a496392d368d4c56fccc4f886d8f5b4acbb7
Instruction Fuzzy Hash: 6D21A4B1504340ABD720AB54DC41FAFB7DCAF49700F441829FB48B7291D775A954C766

Uniqueness

Uniqueness Score: -1.00%

Function 00E046B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00E046DD
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E0472C

Part of subcall function 00E45A4E: _Yarn.LIBCPMT ref: 00E45A6D
Part of subcall function 00E45A4E: _Yarn.LIBCPMT ref: 00E45A91

std::ctype_base::ctype_base.LIBCPMT ref: 00E04750

Strings

bad locale name, xrefs: 00E04748

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_std::ctype_base::ctype_base
String ID: bad locale name
API String ID: 2130855923-1405518554
Opcode ID: 6f1c74781057f2f5b860fe30d59fc8c5443b11cff6a2dc8bd58d75712e73e46f
Instruction ID: 7399ae216bafe322c2271c7cdf36c685aca0ff8d4738cbf2562cf5f36aef6ab2
Opcode Fuzzy Hash: 6f1c74781057f2f5b860fe30d59fc8c5443b11cff6a2dc8bd58d75712e73e46f
Instruction Fuzzy Hash: 9A119071904B449FD320DF69D90574BBBF4EF19710F008A6EE48AE7B81D775A608CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E1D4D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00E1D4E4
GetClientRect.USER32(00000000,?), ref: 00E1D4FB

Part of subcall function 00E20C64: GetScrollPos.USER32(00000000,?), ref: 00E20C90

OffsetRect.USER32(?,00000000,00000000), ref: 00E1D538

Strings

4&, xrefs: 00E1D504

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Rect$ClientEmptyOffsetScroll
String ID: 4&
API String ID: 859223101-1676276578
Opcode ID: 4130aa4e6f5cdac2f24eadb18ec326fd74120cfa8aaf17efe5a5c30fa965b090
Instruction ID: e2e8476293e7662f3784b2a35a5c75bace6215466e87e5dea4a20ad154a6881c
Opcode Fuzzy Hash: 4130aa4e6f5cdac2f24eadb18ec326fd74120cfa8aaf17efe5a5c30fa965b090
Instruction Fuzzy Hash: 87118672200611EFD714DF69DC85D65FBA6FF84714714C269E919DB296EB30EC40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E11A00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?), ref: 00E11AB1

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Strings

c:\rhub2\code\utility\utility.cpp, xrefs: 00E11A49
Utility::CopyMyFile(), xrefs: 00E11A50
sSourceFile, %s, does not exist, xrefs: 00E11A3F

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeave
String ID: Utility::CopyMyFile()$c:\rhub2\code\utility\utility.cpp$sSourceFile, %s, does not exist
API String ID: 948928420-793497291
Opcode ID: 50fa00b2be5c7c0ef2c26a66f5b0d461344d20f2a7e3c1edf0351132ab604421
Instruction ID: eef2d05955081ba6c74f8541cab39f3a71e9919ba0abcc8e35ddc12e836f3eaf
Opcode Fuzzy Hash: 50fa00b2be5c7c0ef2c26a66f5b0d461344d20f2a7e3c1edf0351132ab604421
Instruction Fuzzy Hash: D31191726053006AE620AB54DC47FEB77DCBF84B00F846859FA8CB6181EA706685C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 00E462F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,00E45B76,904898A6,00000001,?,00000000,?,00E07547,00EA915C,00E03FA0,00EA9160,?,00E06A6F,?,00000001), ref: 00E46378

Strings

ios_base::failbit set, xrefs: 00E462F7
oj, xrefs: 00E46354, 00E46306

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID: ios_base::failbit set$oj
API String ID: 1452528299-2528494008
Opcode ID: 40933e2eace695c480d45bcc98fd0a04b13256f33c4d2f459ca300f1b70c0ea1
Instruction ID: c9173e11116ef39555c2f3fe700be8c64547c81a75cfb83783a8196bde59c1d4
Opcode Fuzzy Hash: 40933e2eace695c480d45bcc98fd0a04b13256f33c4d2f459ca300f1b70c0ea1
Instruction Fuzzy Hash: AF11A532300169AFCF169F66ED445AEF765FF89769B018039F905B6220CB70AC54DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00E1F247 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2DE19: EnterCriticalSection.KERNEL32(00EAF9A0,00000000,?,?,?,00E2D261,00000010,00000008,00E1DE06,00E1DE49,00E1DEA6,00E25C04,904898A6), ref: 00E2DE4A
Part of subcall function 00E2DE19: InitializeCriticalSection.KERNEL32(00000000,?,?,?,00E2D261,00000010,00000008,00E1DE06,00E1DE49,00E1DEA6,00E25C04,904898A6), ref: 00E2DE60
Part of subcall function 00E2DE19: LeaveCriticalSection.KERNEL32(00EAF9A0,?,?,?,00E2D261,00000010,00000008,00E1DE06,00E1DE49,00E1DEA6,00E25C04,904898A6), ref: 00E2DE6E
Part of subcall function 00E2DE19: EnterCriticalSection.KERNEL32(00000000,?,?,?,00E2D261,00000010,00000008,00E1DE06,00E1DE49,00E1DEA6,00E25C04,904898A6), ref: 00E2DE7B

Part of subcall function 00E2D247: __EH_prolog3_catch.LIBCMT ref: 00E2D24E

Part of subcall function 00E1FDAD: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00E1FDD3
Part of subcall function 00E1FDAD: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E1FDE3
Part of subcall function 00E1FDAD: EncodePointer.KERNEL32(00000000,?,00000000), ref: 00E1FDEC

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 00E1F289
FreeLibrary.KERNEL32(?,?,00E1DEA6,?,?,?,00E2B594), ref: 00E1F299

Strings

HtmlHelpW, xrefs: 00E1F283
hhctrl.ocx, xrefs: 00E1F26D

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$AddressEnterProc$EncodeFreeH_prolog3_catchHandleInitializeLeaveLibraryModulePointer
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 849444252-3773518134
Opcode ID: b004462d4b742d95964ff5c9956b7d16fed626d0c8a5d3584bee4ed1fc66aa7c
Instruction ID: ad34c65a7bd9bc0dbc83dc9a69c9671ec7ccbc830856c2d795c2aeadc78ff471
Opcode Fuzzy Hash: b004462d4b742d95964ff5c9956b7d16fed626d0c8a5d3584bee4ed1fc66aa7c
Instruction Fuzzy Hash: F801D835500716AFDB206FA1DC0AB9B7BA4AF00754F006435F51E75572DB30D890D791

Uniqueness

Uniqueness Score: -1.00%

Function 00E27BEC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,0002001F,?,?,00E27826,?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00E27BFD
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00E27C0D

Strings

Advapi32.dll, xrefs: 00E27BF8
RegCreateKeyTransactedW, xrefs: 00E27C07

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1646373207-2994018265
Opcode ID: 7e7915361f920992ce0f143d1228567ff7225ff7ec12360ce164a9117fb18e61
Instruction ID: 5b58216de3289091b572a2926ec1b287d6d0ac1f7966bb51c8a62139a1bd0aee
Opcode Fuzzy Hash: 7e7915361f920992ce0f143d1228567ff7225ff7ec12360ce164a9117fb18e61
Instruction Fuzzy Hash: F501A232210208EFCF125FA5EC05AEA7BAAFF8C359F044025FA48B1070D772C8A1DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E27240 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?), ref: 00E27253
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00E27263

Strings

Advapi32.dll, xrefs: 00E2724E
RegDeleteKeyTransactedW, xrefs: 00E2725D

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: 0bd5881136cf552f7196d4c535910dd6cba0edd27d6c02a3dfe40ed3322e3825
Instruction ID: f5a4caba3301e4a530994528a286ba7deacf103525d16034451367a7bf3b1ddb
Opcode Fuzzy Hash: 0bd5881136cf552f7196d4c535910dd6cba0edd27d6c02a3dfe40ed3322e3825
Instruction Fuzzy Hash: 4FF096B3304319EF97116FA6BC4497677ADFB803A6318443AF189A5171D6318C458760

Uniqueness

Uniqueness Score: -1.00%

Function 00E2E4B3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 00E2E4DC
GetProcAddress.KERNEL32(00000000,AfxmReleaseManagedReferences), ref: 00E2E4EC

Strings

mfcm140u.dll, xrefs: 00E2E4CF
AfxmReleaseManagedReferences, xrefs: 00E2E4E6

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AfxmReleaseManagedReferences$mfcm140u.dll
API String ID: 1646373207-1124768495
Opcode ID: e03b0bfaa7b49be660235ae8467123925d4747f5cf8e94a56671dee3e72b1370
Instruction ID: 4bba0c59bd6624a71091ad005e284daf4c82971dbfeeb517d73b1adf34833dec
Opcode Fuzzy Hash: e03b0bfaa7b49be660235ae8467123925d4747f5cf8e94a56671dee3e72b1370
Instruction Fuzzy Hash: 42F09C31B0022CABCB14DB76EC499AF77E8FF487147000025F509F7291DA609D05C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2729F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00E272B0
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00E272C0

Strings

RegOpenKeyTransactedW, xrefs: 00E272BA
Advapi32.dll, xrefs: 00E272AB

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1646373207-3913318428
Opcode ID: e47df62b13c05dc057189664c6ef5908abc997bd5c9036b05776fc61bace633c
Instruction ID: a9da7e37e0e26abcb1100d89f7c70992af12cb648528daa9ab4e4ae1f0c60919
Opcode Fuzzy Hash: e47df62b13c05dc057189664c6ef5908abc997bd5c9036b05776fc61bace633c
Instruction Fuzzy Hash: 2FF06233204219EFCB129F5AEC08BA63BB9FF89756F044035F54AB1170EB718851DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E3F43E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00E3F455
GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedW), ref: 00E3F465

Strings

GetFileAttributesTransactedW, xrefs: 00E3F45F
kernel32.dll, xrefs: 00E3F450

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetFileAttributesTransactedW$kernel32.dll
API String ID: 1646373207-1378992308
Opcode ID: 210db11db29ca64bf2268212b9b22a286d1d4e486457e8858ad3cfd5d0f1ae84
Instruction ID: e67f95b677dcc8cfae06032aa9afdcd3f81dcf8351829e604b1b8af7fc8ad8dc
Opcode Fuzzy Hash: 210db11db29ca64bf2268212b9b22a286d1d4e486457e8858ad3cfd5d0f1ae84
Instruction Fuzzy Hash: E6F06D32701305AFDB205FA5ED4CBBB7BA8EF0431AF00953AE558A1160C7718894C750

Uniqueness

Uniqueness Score: -1.00%

Function 00E26DE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,?,00000010,?,00E260B8,00000000,00000000,?,?,00E26630,00000000,?,?,?,?,00E3E83A), ref: 00E26DEB
LockResource.KERNEL32(00000000,?,00E260B8,00000000,00000000,?,?,00E26630,00000000,?,?,?,?,00E3E83A,00000000,?), ref: 00E26DF6
SizeofResource.KERNEL32(00000000,?,?,00E260B8,00000000,00000000,?,?,00E26630,00000000,?,?,?,?,00E3E83A,00000000), ref: 00E26E08

Strings

tG, xrefs: 00E26E0E

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID: tG
API String ID: 2853612939-3095411533
Opcode ID: aed5eef104582d1f732236893764cb5921e0060fdadef722fe9d5ddc359f2f30
Instruction ID: 4f3c8ebdd5290dee6e92989a1a8b15bef44fb3c666ea1705b6765bae041e91cc
Opcode Fuzzy Hash: aed5eef104582d1f732236893764cb5921e0060fdadef722fe9d5ddc359f2f30
Instruction Fuzzy Hash: 1FF0C239800235ABCF326F55FC044BA7B68EF203057025A1AFC49B6434E731DEA0D6C0

Uniqueness

Uniqueness Score: -1.00%

Function 00E19BC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00EA9820,}~,00000000,?,00E17E7D,?,Module %d,?,?,?,?,?,00E47BD0,00E9A838,000000FE), ref: 00E19BD9
WriteFile.KERNEL32(?,00EA9820,00000000,?,00E17E7D,?,Module %d,?,?,?,?,?,00E47BD0,00E9A838,000000FE), ref: 00E19BE9
wvsprintfW.USER32(?,?,?), ref: 00E19C07

Strings

}~, xrefs: 00E19BCF, 00E19BD3

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: FileWritelstrlenwvsprintf
String ID: }~
API String ID: 3159838295-951315991
Opcode ID: 0ec92a57091b92ebd8aa35d70828f5d08f6b24f402ec2faf3981c2c199eaed21
Instruction ID: 58bee722def7a9bf53f7794d9d960f4bfc994d415ed02ab84cac6721ca805aa2
Opcode Fuzzy Hash: 0ec92a57091b92ebd8aa35d70828f5d08f6b24f402ec2faf3981c2c199eaed21
Instruction Fuzzy Hash: 2EF03971408305AFDB08DF65EC44D9A77E8FB4E300F000919F026E50B2EB39A858CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00E72D18 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 17networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00E72D18

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Strings

HR::DoRequest, xrefs: 00E72D3C
c:\rhub2\code\hlib\hlib.cpp, xrefs: 00E72D35
CRASHED --- error code=%d, error = %s, xrefs: 00E72D2B

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID: CRASHED --- error code=%d, error = %s$HR::DoRequest$c:\rhub2\code\hlib\hlib.cpp
API String ID: 4082018349-3415088769
Opcode ID: e36c871f327b7f206826d27a7cc2aac704173abfe421b43ba44eef0566c0867c
Instruction ID: ea3e181b245cbda65722066d7dd163ef78bb4085d3b44c89601174c46de2e73a
Opcode Fuzzy Hash: e36c871f327b7f206826d27a7cc2aac704173abfe421b43ba44eef0566c0867c
Instruction Fuzzy Hash: 6AD0A7767807007AE62116116C47F7A25459B15745F403020BA0CB43EBD2C028494285

Uniqueness

Uniqueness Score: -1.00%

Function 00E7349D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 16networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00E7349D

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Strings

HLib::GetPage, xrefs: 00E734BE
c:\rhub2\code\hlib\hlib.cpp, xrefs: 00E734B7
Crash, error code: %d, error: %s, xrefs: 00E734AD

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID: Crash, error code: %d, error: %s$HLib::GetPage$c:\rhub2\code\hlib\hlib.cpp
API String ID: 4082018349-1778592653
Opcode ID: 306b01e2052cec7a0b747a4fab1b6a854b25fc2e6804d0c1ed0e12d5ddff3223
Instruction ID: 20408d53fad6f1244971921fedfb53a51e422c026d3d9a4f8574b9314be9fe3a
Opcode Fuzzy Hash: 306b01e2052cec7a0b747a4fab1b6a854b25fc2e6804d0c1ed0e12d5ddff3223
Instruction Fuzzy Hash: 57D0A7723447003FD9165611AC47F5A2888A705740F803410BE0DB42D792C05A45824D

Uniqueness

Uniqueness Score: -1.00%

Function 00E628CE Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E629FD

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d60fa4f0da1be44e7e36ae07b4f0b10f814b03209a138af43d06915c102ee8cf
Instruction ID: df6c5d20cc6ee3b8def0d7fb81f11c100f2b697bd58da5326f2636e7b0ccfb12
Opcode Fuzzy Hash: d60fa4f0da1be44e7e36ae07b4f0b10f814b03209a138af43d06915c102ee8cf
Instruction Fuzzy Hash: 02417E31A80A016BDB316AB8AC457BE3AE4FFC53F4F18261DF614F6292DA744C415371

Uniqueness

Uniqueness Score: -1.00%

Function 00E28721 Relevance: 6.1, APIs: 4, Instructions: 149COMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00E287E3
SetWindowContextHelpId.USER32(00000000,?), ref: 00E2884C
GetParent.USER32(00000000), ref: 00E28855

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Window$ContextHelpParent
String ID:
API String ID: 2037418093-0
Opcode ID: d1e44dc5182d26ee0a6205cdf7ddb5b65bc10ba080bae318da728f4198c59371
Instruction ID: e451f66a12fe431168a3ac60593a50b2e5ffbd82f145862e571f7325cb2d08b6
Opcode Fuzzy Hash: d1e44dc5182d26ee0a6205cdf7ddb5b65bc10ba080bae318da728f4198c59371
Instruction Fuzzy Hash: B0518E75E02229DFDF18CF98EA40AAEB7F1BF48714FA5911AD815B3250DB309D41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E57BFA Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a2afe1fb60355c837241580be786e3cedbfca41169beca8f491f4464462a62
Instruction ID: eae0b587959b3ca322ef6520ba586f11f399d0b594c08e4e9979521ef06d51d0
Opcode Fuzzy Hash: c3a2afe1fb60355c837241580be786e3cedbfca41169beca8f491f4464462a62
Instruction Fuzzy Hash: 04415C71A04304AFD7249F78EC41BAABBE9EF8C711F10992AF581FB281D671A9558780

Uniqueness

Uniqueness Score: -1.00%

Function 00E3ACBE Relevance: 6.1, APIs: 4, Instructions: 128COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00E3AD39
SysFreeString.OLEAUT32(00000000), ref: 00E3ADCA
SysFreeString.OLEAUT32(00000000), ref: 00E3ADD9
SysFreeString.OLEAUT32(00000000), ref: 00E3ADE8

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID:
API String ID: 3349467263-0
Opcode ID: d866406c9db5509e9603bf2203c26e55e795d4917364bfe3299a064aea212e72
Instruction ID: 763910fed1fcd1253c02f7cf2ea3e739eedd0bc01b430430a03bb8443b1af30b
Opcode Fuzzy Hash: d866406c9db5509e9603bf2203c26e55e795d4917364bfe3299a064aea212e72
Instruction Fuzzy Hash: C8418A71A10219AFCB14EFA5DC89BDEBBB9FF04705F040129F549B72A1DB706988CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E27A06 Relevance: 6.1, APIs: 4, Instructions: 117registryCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(?,?,?,?,00001000,?), ref: 00E27B52

Part of subcall function 00E27B84: RegCloseKey.ADVAPI32(00000000,?,?,?,?,00E279B3,?,00000000), ref: 00E27BC9

RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00E27AA1
RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 00E27ADD
RegCloseKey.ADVAPI32(00000000), ref: 00E27AF7

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue$PrivateProfileString
String ID:
API String ID: 2114517702-0
Opcode ID: 22c71dc5ce932535adc72264a2ac5f7c9c97936810685c2ba23adba85b71b593
Instruction ID: cacf3a6512408fdfd016ccaebb097b40599beadb8b0cc2ae2bfbca942f6b51be
Opcode Fuzzy Hash: 22c71dc5ce932535adc72264a2ac5f7c9c97936810685c2ba23adba85b71b593
Instruction Fuzzy Hash: 834180B1904329EFDB25DB14DC49EEEB3B9EB44310F00519AB959B3282DB309E95DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00E65081 Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00E5C952,00000000,?,?,00000000,00000000,?,00000000,7FFFFFFF,-00000001,00E5C952,00000001,?,?,00000001,?), ref: 00E650C9
MultiByteToWideChar.KERNEL32(00E5C952,00000001,?,?,00000000,?), ref: 00E65153
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E65165
__freea.LIBCMT ref: 00E6516E

Part of subcall function 00E5DEBD: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E1D9AD,?,?,?,?,00E013BB,?), ref: 00E5DEEF

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4e25fe7d9ab3bab3558cc064be7465c9345885ad669c0bdbb599448eba2359e0
Instruction ID: bbfb1f875cdfa05f4b23c18251736d970ce712a323b59a9fc8bf17d37163dece
Opcode Fuzzy Hash: 4e25fe7d9ab3bab3558cc064be7465c9345885ad669c0bdbb599448eba2359e0
Instruction Fuzzy Hash: 3F31F472F01A1AAFDB208F64EC45EAF7BA5EF41754F054228F804A6251EB34CD54C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E2AF16 Relevance: 6.1, APIs: 4, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00E2AF43
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00E2AFA4
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00E2AFEE
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00E2B01D

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7e5aef39bf56dacdb6186c86c59ac1476fa1be84194c67d5d4e2e6fddb2a3ec7
Instruction ID: bc68bfd088fa4b5b5e0cf5debc8fda10280144da00a44a53d119de9e4e9a4d3d
Opcode Fuzzy Hash: 7e5aef39bf56dacdb6186c86c59ac1476fa1be84194c67d5d4e2e6fddb2a3ec7
Instruction Fuzzy Hash: 4C316371A0022AFFEB259FA0E995F7AB3A9FF00348F185079E11277161CB74AD44E651

Uniqueness

Uniqueness Score: -1.00%

Function 00E259C5 Relevance: 6.1, APIs: 4, Instructions: 84threadCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E259CF

Part of subcall function 00E25087: __EH_prolog3.LIBCMT ref: 00E2508E

GetCurrentThread.KERNEL32 ref: 00E25A2F
GetCurrentThreadId.KERNEL32 ref: 00E25A38
GetVersionExW.KERNEL32 ref: 00E25AD4

Part of subcall function 00E29057: __CxxThrowException@8.LIBVCRUNTIME ref: 00E2906B

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CurrentThread$Exception@8H_prolog3H_prolog3_ThrowVersion
String ID:
API String ID: 3564936719-0
Opcode ID: 34568a68b47cbbe36bd170a1ca3fd3cc5ae6a680148aca3f073a47b2269ba5a3
Instruction ID: 578714ccf3b1888345f8498cb906da20f9dc052963653199658c4460d5b25821
Opcode Fuzzy Hash: 34568a68b47cbbe36bd170a1ca3fd3cc5ae6a680148aca3f073a47b2269ba5a3
Instruction Fuzzy Hash: 4041D0B1901B148FD720DF2A998578AFBF0BF48300F905A6ED1AEA3711DB70A484CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00E58FE7 Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cecfe3b1dc72e9489c38c2433834424616e74e0704d13677cbdd4273b3f28431
Instruction ID: fac5959e122327fdae920b22b0d144ac6f545a9c9837c60f38054948f7a5909b
Opcode Fuzzy Hash: cecfe3b1dc72e9489c38c2433834424616e74e0704d13677cbdd4273b3f28431
Instruction Fuzzy Hash: 6211D531100304EFDB206B66AC05BEB7BA8FB81765F241E25FD54BB1D3E6719C4492A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E229B1 Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00E229EB
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00E22A15
GetCapture.USER32 ref: 00E22A2B
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 00E22A3A

Part of subcall function 00E29057: __CxxThrowException@8.LIBVCRUNTIME ref: 00E2906B

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CaptureException@8Throw
String ID:
API String ID: 1331319163-0
Opcode ID: 30090c63734e05eab30c2b51f745167d2cd6dfe73c93c724c7a1fb3c7c54d30e
Instruction ID: 22661def88a86c10b54a49011e7e31b85ccb777d49275495a9be0b50cf7711fb
Opcode Fuzzy Hash: 30090c63734e05eab30c2b51f745167d2cd6dfe73c93c724c7a1fb3c7c54d30e
Instruction Fuzzy Hash: B811947130021DBFEB156B61DC89FBE7B6EFF48785F040024F709762A2CB619C54A6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E39200 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 00E39228
CoTaskMemFree.OLE32(00000000,?,?,?,?,?,?,?,?,?,00E381EC,?,?,?,?,00E36C3D), ref: 00E392B5

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: 87baf9febc2c04924098e8536772e60d8f9c0bda18a2e878d8ea20133e02eda9
Instruction ID: a556ecade6b031777e56f4de0ecaae21832b80439bf9eec0d593ce3e28496119
Opcode Fuzzy Hash: 87baf9febc2c04924098e8536772e60d8f9c0bda18a2e878d8ea20133e02eda9
Instruction Fuzzy Hash: 9B219D32110606FFDB199F69E85CAAA7F78FF45306F241114F806BA1B6CBB29D50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E2EEBE Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

BeginDeferWindowPos.USER32(00000000), ref: 00E2EEE0
IsWindow.USER32(?), ref: 00E2EEFB
DeferWindowPos.USER32(00000000,?,00000000,?,00000000,?,00000000,00000000), ref: 00E2EF4B
EndDeferWindowPos.USER32(00000000), ref: 00E2EF56

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Window$Defer$Begin
String ID:
API String ID: 2880567340-0
Opcode ID: 66689a2ffa0441e7e3d0d5f4a442d93f6b0e7d1f7ce3136e2d67be2646d8318f
Instruction ID: bfab4f7c8493614dd158ca1987c3ccc74983fd9ebe724056d4534d65d1147d6c
Opcode Fuzzy Hash: 66689a2ffa0441e7e3d0d5f4a442d93f6b0e7d1f7ce3136e2d67be2646d8318f
Instruction Fuzzy Hash: 23215C71A00129AFDB00CFA9DD84AAEBBF9FF08300F144429E51AF3251D734A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E288B5 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,000000F0), ref: 00E288DB
LoadResource.KERNEL32(?,00000000), ref: 00E288E7
LockResource.KERNEL32(00000000), ref: 00E288F4
FreeResource.KERNEL32(00000000), ref: 00E28926

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 79e6cc231d4acea853a291bb36abbdd2256eee1081dcdcdbce8951fd4123af67
Instruction ID: e5c4212413a565300f01671cd295b0c0fda7ad9ec0e223f5d8c52d42d8bbf1d5
Opcode Fuzzy Hash: 79e6cc231d4acea853a291bb36abbdd2256eee1081dcdcdbce8951fd4123af67
Instruction Fuzzy Hash: D4119D35601329AFCB05AF69EC84A6E7BB9FF897147050069F809A7322DF70DC40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E59CBC Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2db780725a3867667a3a60502f9900d835b8fbeb18b7497df27263b64497a9
Instruction ID: 7a13ecfe670c5d853c46664940531d5e57942fa94a7b5e75a574a98c4685bb0b
Opcode Fuzzy Hash: 7e2db780725a3867667a3a60502f9900d835b8fbeb18b7497df27263b64497a9
Instruction Fuzzy Hash: 79012BB2209206BEEB301A786CC5FA7636DDF413BAF352F25F931721D6DA608C484270

Uniqueness

Uniqueness Score: -1.00%

Function 00E2B35E Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,00000000,00000005), ref: 00E2B390
LoadResource.KERNEL32(?,00000000), ref: 00E2B398
LockResource.KERNEL32(?), ref: 00E2B3A6
FreeResource.KERNEL32(?), ref: 00E2B3FF

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: ce2b39afed216eb247ac58e0404e4dc464b391d71427fbd9ad9ff88845cfb48b
Instruction ID: dfb84dbc8ae23ef483d48c773ebdee922380bcdb0326ddf461aad489f4ee621a
Opcode Fuzzy Hash: ce2b39afed216eb247ac58e0404e4dc464b391d71427fbd9ad9ff88845cfb48b
Instruction Fuzzy Hash: C611D031904631EBCB10EF56E848BAAB7B8FF48314F14C174E844A7696EBB49D81D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E27D9C Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,00000000), ref: 00E27DD7
RegCloseKey.ADVAPI32(00000000), ref: 00E27DE0
swprintf.LIBCMT ref: 00E27DFD
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00E27E0E

Part of subcall function 00E27B84: RegCloseKey.ADVAPI32(00000000,?,?,?,?,00E279B3,?,00000000), ref: 00E27BC9

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Close$PrivateProfileStringValueWriteswprintf
String ID:
API String ID: 581541481-0
Opcode ID: 52428497b339dad5e18e6470352f1de6fec594c7e8d0f8b8de8a4d71c5970d91
Instruction ID: d8ef1fd412bad7275ddb96d16e1ced92012359820869fcf6cb887e0d68715479
Opcode Fuzzy Hash: 52428497b339dad5e18e6470352f1de6fec594c7e8d0f8b8de8a4d71c5970d91
Instruction Fuzzy Hash: B001AD72600218BBDB10DB65AC46FAEB3FCEF49714F150899FA41B7291DB74ED0487A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E1E136 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 00E1E165
GetFocus.USER32 ref: 00E1E17F
GetParent.USER32(?), ref: 00E1E18A
SendMessageW.USER32(?,00000028,00000000,00000000), ref: 00E1E19F

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: EnableFocusItemMenuMessageParentSend
String ID:
API String ID: 2297321873-0
Opcode ID: 8e5790251e93a12e5fd9cabc79d73ce98680bdcb44366959e349439badd73690
Instruction ID: 5ca15a58d9acaf020f7b26e11973f1350d2e9b50d8cdda1d4449f0c8f9812b83
Opcode Fuzzy Hash: 8e5790251e93a12e5fd9cabc79d73ce98680bdcb44366959e349439badd73690
Instruction Fuzzy Hash: EB11E171240614AFDB209F25EC45FA6B7B9FF94311F149A18F90AB76A2C774E8C48A90

Uniqueness

Uniqueness Score: -1.00%

Function 00E4945C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00E49476

Part of subcall function 00E493C3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00E493F2
Part of subcall function 00E493C3: ___AdjustPointer.LIBCMT ref: 00E4940D

_UnwindNestedFrames.LIBCMT ref: 00E4948B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00E4949C
CallCatchBlock.LIBVCRUNTIME ref: 00E494C4

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 168c9c34df258510efb0ff844af28b6366e521c082595d16045faf1b1b758ed9
Instruction ID: 97f4621d7aa04d9cd9081159f76a2507be1cae121d200b64d366de8a1ae762ad
Opcode Fuzzy Hash: 168c9c34df258510efb0ff844af28b6366e521c082595d16045faf1b1b758ed9
Instruction Fuzzy Hash: 5E019E32100108BBCF126F95EC41EEB3FAAEF88358F045014FE5876122C332E861DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E12FC0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E12FF4
QueryPerformanceFrequency.KERNEL32(00989680,?,?,?,?,?,?,?,?,00000001), ref: 00E1302A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 00E13046
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E1306E

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: PerformanceQueryUnothrow_t@std@@@__ehfuncinfo$??2@$CounterFrequency
String ID:
API String ID: 1219647529-0
Opcode ID: 565285fcd70ec6d0b2715de8e925ca12360cf36443defaebf779894f07e6dd70
Instruction ID: 19f2f7fcb87aa264744a78e13d73d6345cf463c2c2ec9581a21ea41775df5a74
Opcode Fuzzy Hash: 565285fcd70ec6d0b2715de8e925ca12360cf36443defaebf779894f07e6dd70
Instruction Fuzzy Hash: 00111CB5A10211AFD710EF6AFC45E9637E8EB8A710B045516F114B72B3D630B848CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00E03C08 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E03C1D
WindowFromPoint.USER32(?,?), ref: 00E03C29
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 00E03C6F
_TrackMouseEvent.COMCTL32(?), ref: 00E03C8D

Part of subcall function 00E03347: InvalidateRect.USER32(?,00000000,00000001,00E037CC), ref: 00E03365

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: InvalidateRect$ClientEventFromMousePointScreenTrackWindow
String ID:
API String ID: 2310010663-0
Opcode ID: dac7c284d8e1b9f55e83b30bde59d270611e70aa9a625334e703265bf3e218c6
Instruction ID: 8336f4ba0860f9059686957f756209e9ab47d1982bda8a7e220290c7abdf18dd
Opcode Fuzzy Hash: dac7c284d8e1b9f55e83b30bde59d270611e70aa9a625334e703265bf3e218c6
Instruction Fuzzy Hash: AD115E714002159FEB25DB74C84CAAAB7F9FF44304F00952EE59AE5192EB71D9848B20

Uniqueness

Uniqueness Score: -1.00%

Function 00E22FCB Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 00E22FD2
GetTopWindow.USER32(00000000), ref: 00E23015
GetWindow.USER32(00000000,00000002), ref: 00E23037

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: b94aa01deae5ff187e9e00b545aa2f7db87e5252c9f7cd94772012096edbe86b
Instruction ID: ddfd081b6465e56449cdc9697eb4003f7d242614bd3c7314e33d61a1076d4c66
Opcode Fuzzy Hash: b94aa01deae5ff187e9e00b545aa2f7db87e5252c9f7cd94772012096edbe86b
Instruction Fuzzy Hash: 1C01083210152ABBDF225FA1ED08EDE3F66AF08354F045004FA1574061C77ACAA5EFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E20A59 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00E20A63
GetTopWindow.USER32(00000000), ref: 00E20A70

Part of subcall function 00E20A59: GetWindow.USER32(00000000,00000002), ref: 00E20ABF

GetTopWindow.USER32(?), ref: 00E20AA4

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 6aef38ae9f5dc80f95b0eae2658ab11ce98ee9d5d4980492978242bec6d1e863
Instruction ID: 46c3f913d9768dccd40c338e88039db1c7c37ba4dce5a6d98c6353eb2fe124db
Opcode Fuzzy Hash: 6aef38ae9f5dc80f95b0eae2658ab11ce98ee9d5d4980492978242bec6d1e863
Instruction Fuzzy Hash: D401D17150273ABFDF22AF61AC04AEE3B68BF14358F45A010FC15B41A3E732C9519AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00E20871 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,000000F0), ref: 00E20895
LoadResource.KERNEL32(?,00000000), ref: 00E208A1
LockResource.KERNEL32(00000000), ref: 00E208AE
FreeResource.KERNEL32(00000000,00000000), ref: 00E208CA

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 21afe086b7bc508dc25099d145d77fc761c5f7b651b7a2b8d7beb3a35dfc791e
Instruction ID: f93a25cb855067c5f92f2b7b0c467c775122d4bca524e98a030ad78303db7f5f
Opcode Fuzzy Hash: 21afe086b7bc508dc25099d145d77fc761c5f7b651b7a2b8d7beb3a35dfc791e
Instruction Fuzzy Hash: 1AF0C2326013207FD729AB66BC44E6FB6ACAF85764B045124FD09F3663DA30CC4096E4

Uniqueness

Uniqueness Score: -1.00%

Function 00E2B02A Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E2B038
GetParent.USER32(?), ref: 00E2B04B
GetParent.USER32(?), ref: 00E2B065
SetFocus.USER32(?,00000000,?,?,00E03A51,00000000), ref: 00E2B07E

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Parent$Focus
String ID:
API String ID: 384096180-0
Opcode ID: 4609985ba4f7484920df2badfea7e350fd81c1a6cbbcb6eacb224ed128ddad7d
Instruction ID: 991aac5578f1bc1c1f0fa516881d015388f6a6c0d970973af1202e7cbf789fae
Opcode Fuzzy Hash: 4609985ba4f7484920df2badfea7e350fd81c1a6cbbcb6eacb224ed128ddad7d
Instruction Fuzzy Hash: FBF0FB32610724DBCF226B71F818D1BBBAABFC83117052929B596A3563DF2598409B50

Uniqueness

Uniqueness Score: -1.00%

Function 00E2B8C2 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

EnableWindow.USER32(00000000,00000001), ref: 00E2B8E6
GetActiveWindow.USER32 ref: 00E2B8F0
SetActiveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00E2B8FC
FreeResource.KERNEL32(?,?,?,?,?,00000000), ref: 00E2B926

Part of subcall function 00E2A5EA: EnableWindow.USER32(?,00000000), ref: 00E2A5FB

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: e8f71006a79267c51c5714620de28a70c873973e5d198762f3d12b4604e03949
Instruction ID: 45585e9b6f8fe75aed3ad81aa29f5cfe97644b9457a3bcd709543e37575a7e7c
Opcode Fuzzy Hash: e8f71006a79267c51c5714620de28a70c873973e5d198762f3d12b4604e03949
Instruction Fuzzy Hash: 1A016D30A012299FCF19EF61E889BADB775BF48311F041004EA05732A2CB746C85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E6B6C2 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00E0EC8E,004BEC50,?,00000000,00E0EC8E,?,00E6A4A0,00E0EC8E,00000001,00E0EC8E,00E0EC8E,?,00E5FF8C,00E0EC8E,?,00E0EC8E), ref: 00E6B6D9
GetLastError.KERNEL32(?,00E6A4A0,00E0EC8E,00000001,00E0EC8E,00E0EC8E,?,00E5FF8C,00E0EC8E,?,00E0EC8E,00E0EC8E,00E0EC8E,?,00E6050B,00E4F84C), ref: 00E6B6E5

Part of subcall function 00E6B6AB: CloseHandle.KERNEL32(FFFFFFFE,00E6B6F5,?,00E6A4A0,00E0EC8E,00000001,00E0EC8E,00E0EC8E,?,00E5FF8C,00E0EC8E,?,00E0EC8E,00E0EC8E,00E0EC8E), ref: 00E6B6BB

___initconout.LIBCMT ref: 00E6B6F5

Part of subcall function 00E6B66D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00E6B69C,00E6A486,00E0EC8E,?,00E5FF8C,00E0EC8E,?,00E0EC8E,00E0EC8E), ref: 00E6B680

WriteConsoleW.KERNEL32(00E0EC8E,004BEC50,?,00000000,?,00E6A4A0,00E0EC8E,00000001,00E0EC8E,00E0EC8E,?,00E5FF8C,00E0EC8E,?,00E0EC8E,00E0EC8E), ref: 00E6B70A

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: f250c321fd6a254fd0a899fd6af88b42e422f79cc4d8cf33d54ee71b9c273054
Instruction ID: f8ecef89dace345ab8ed62bd43f273f5a2c64d38ac84a28fcd9feec6129aaec8
Opcode Fuzzy Hash: f250c321fd6a254fd0a899fd6af88b42e422f79cc4d8cf33d54ee71b9c273054
Instruction Fuzzy Hash: 47F0FE36440115BFCF126F92EC089893EA5FF493A0F044110F908E5131D7319CA0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E423FB Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00E42417
GetTickCount.KERNEL32 ref: 00E42428
CoFreeUnusedLibraries.OLE32 ref: 00E4243B
GetTickCount.KERNEL32 ref: 00E42441

Part of subcall function 00E4238D: CoFreeUnusedLibraries.OLE32 ref: 00E423E2
Part of subcall function 00E4238D: OleUninitialize.OLE32 ref: 00E423E8

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: 65b9971282cffb176721417eb6a965ab2f9360dcc178fe8bd3c457fed37d18b2
Instruction ID: b26bce746aa3c9a04ccbe462560354c2d88941657e9bb8fbd4cd078dddc284fa
Opcode Fuzzy Hash: 65b9971282cffb176721417eb6a965ab2f9360dcc178fe8bd3c457fed37d18b2
Instruction Fuzzy Hash: E6E0C9308156098FD710AFA6FC4D2583BB1FB06315F98512AF519F5571C734A8E8CB22

Uniqueness

Uniqueness Score: -1.00%

Function 00E74945 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 18COMMON

Download Yara Rule

APIs

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

LeaveCriticalSection.KERNEL32(?), ref: 00E74980

Strings

c:\rhub2\code\hlib\hlib.cpp, xrefs: 00E7495C
HR::SendRequest, xrefs: 00E74963
error code=%d, xrefs: 00E74952

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID: HR::SendRequest$c:\rhub2\code\hlib\hlib.cpp$error code=%d
API String ID: 2978645861-3379328656
Opcode ID: 1f6565d28a0a8eb1b644d8cceec9bd69e1ea7cd14bd00a341fb0f0c146c5d36b
Instruction ID: 2ebdaea7907b454b3fbaed34d20ae63ae78ec159364e60c78454578d9cb8e5a0
Opcode Fuzzy Hash: 1f6565d28a0a8eb1b644d8cceec9bd69e1ea7cd14bd00a341fb0f0c146c5d36b
Instruction Fuzzy Hash: FCD05EF2BC0300BBDB005754DC47F8B26A9AF94B04F443060B909B53E3D2A9AA998668

Uniqueness

Uniqueness Score: -1.00%

Function 00E723F7 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00E723F7

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Strings

c:\rhub2\code\hlib\hlib.cpp, xrefs: 00E72408
error code=%d, xrefs: 00E723FE
HR::Detect, xrefs: 00E7240F

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID: HR::Detect$c:\rhub2\code\hlib\hlib.cpp$error code=%d
API String ID: 4082018349-3618719425
Opcode ID: 3777db2c914bbe5b20aa077b558fb8fef6e2ae4b4af71b07f909c52e7d92f260
Instruction ID: a88f636a4f02024ba7676b7241fdccac759e44d2361dd178f23298911c5dfabf
Opcode Fuzzy Hash: 3777db2c914bbe5b20aa077b558fb8fef6e2ae4b4af71b07f909c52e7d92f260
Instruction Fuzzy Hash: E9D0A9313C0340BEDB025708CC83F5A3664AB02B00F8460A4B2087E2E3C2E62E89C7B8

Uniqueness

Uniqueness Score: -1.00%

Function 00E74C35 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 12COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00E74C35

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Strings

c:\rhub2\code\hlib\hlib.cpp, xrefs: 00E74C46
HLib::SetOptionA, xrefs: 00E74C4D
error code=%d, xrefs: 00E74C3C

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID: HLib::SetOptionA$c:\rhub2\code\hlib\hlib.cpp$error code=%d
API String ID: 4082018349-1992909155
Opcode ID: d5d8e4ccfef10d56dee1f03a54eb969645d159dcdee7e1fa0a040ac64f2f4267
Instruction ID: 51de0417160461f7ca50f239bf73d0cf560538505f61b5196cfaf90f1fba3088
Opcode Fuzzy Hash: d5d8e4ccfef10d56dee1f03a54eb969645d159dcdee7e1fa0a040ac64f2f4267
Instruction Fuzzy Hash: 17C08CB23C03007FEF021710AC07F2A3225B365B02F8430A0BA0C792E3C3C114498369

Uniqueness

Uniqueness Score: -1.00%

Function 00E72D83 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 12COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00E72D83

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Strings

HR::DoRequest, xrefs: 00E72D9B
c:\rhub2\code\hlib\hlib.cpp, xrefs: 00E72D94
error code=%d, xrefs: 00E72D8A

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID: HR::DoRequest$c:\rhub2\code\hlib\hlib.cpp$error code=%d
API String ID: 4082018349-1477512771
Opcode ID: b757d2f27812caa48ead7b4c19fe1fbbe073a74d1bc5b57945677f88707dff20
Instruction ID: f45f838a19a430d77501380ae012fbd829adb5b7d8fbde68bd011107d7b8778e
Opcode Fuzzy Hash: b757d2f27812caa48ead7b4c19fe1fbbe073a74d1bc5b57945677f88707dff20
Instruction Fuzzy Hash: 22C08C723C07007FDE211B10AC07F293224A791F45F943064B709BC2F3C2D024498768

Uniqueness

Uniqueness Score: -1.00%

Function 00E74EE1 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 12COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00E74EE1

Part of subcall function 00E0EEE0: EnterCriticalSection.KERNEL32(?,904898A6,?,?,00000000), ref: 00E0EF31
Part of subcall function 00E0EEE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 00E0EF7F

Strings

HLib::SetOptionR, xrefs: 00E74EF9
c:\rhub2\code\hlib\hlib.cpp, xrefs: 00E74EF2
error code=%d, xrefs: 00E74EE8

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID: HLib::SetOptionR$c:\rhub2\code\hlib\hlib.cpp$error code=%d
API String ID: 4082018349-367263832
Opcode ID: 42cddc20582f6eb24fe420054adaa9c2c44f41819f93eda4d724b27dcc8d0ff3
Instruction ID: 92a57a708f953c2a51ffd4797ca64c99b030c5f26074f8cb96b1c0f303151ad4
Opcode Fuzzy Hash: 42cddc20582f6eb24fe420054adaa9c2c44f41819f93eda4d724b27dcc8d0ff3
Instruction Fuzzy Hash: 09C08CF33C07007FEE022700AC03F2A3528A344B00FC43064BB08782F3D2D81A499328

Uniqueness

Uniqueness Score: -1.00%

Function 00E34F22 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 244COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00E34FC1
_memcpy_s.LIBCMT ref: 00E35105

Strings

|, xrefs: 00E34F22

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_catch_memcpy_s
String ID: |
API String ID: 76230481-1477062447
Opcode ID: 57f79f24f4d44c8aaf78e3db9fbf336f2d9cee7a5fa8c1da6acf50e88241a0e2
Instruction ID: 73740d3e0b7393ee4224f07ab2146a0da08f3233dfbcadd30ae7a2f63b831059
Opcode Fuzzy Hash: 57f79f24f4d44c8aaf78e3db9fbf336f2d9cee7a5fa8c1da6acf50e88241a0e2
Instruction Fuzzy Hash: 45916E71A01A0ADFCB18DF64C9889AEBBB5FF49314F245229E425B7391D731AD41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E39854 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00E398C6
_memcmp.LIBVCRUNTIME ref: 00E39A4D

Strings

4J, xrefs: 00E39862

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _memcmp
String ID: 4J
API String ID: 2931989736-303676377
Opcode ID: dfd0125a623c65ae0906558229c1701118de3337edf5e02ecd3f611b019f0d57
Instruction ID: 0b204bdee15eba212e5b467bfe3a4e9b1d59ef78af966498d843d0177a1474af
Opcode Fuzzy Hash: dfd0125a623c65ae0906558229c1701118de3337edf5e02ecd3f611b019f0d57
Instruction Fuzzy Hash: B9714D75A10619EFCB08DF96CC4896EBBB9FF88715B000099E94AFB361DB71AD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E5C73D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00E5C7CD

Strings

pow, xrefs: 00E5C7A5, 00E5C7C2

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 56308522cb5813009b3ac2666e1c61aeee9b76273840e880821e83a12d0c922e
Instruction ID: b8f557a78c1e238401dc0738fb0ff0d5b732bd0f9b883c9e9a2226b26187f748
Opcode Fuzzy Hash: 56308522cb5813009b3ac2666e1c61aeee9b76273840e880821e83a12d0c922e
Instruction Fuzzy Hash: FA517C719443028ECB157724EA6137A27D49B44785F347E56E899721A9EF318C8C9F42

Uniqueness

Uniqueness Score: -1.00%

Function 00E2EF6B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(!), ref: 00E2EF86

Part of subcall function 00E1D4D9: SetRectEmpty.USER32(?), ref: 00E1D4E4
Part of subcall function 00E1D4D9: GetClientRect.USER32(00000000,?), ref: 00E1D4FB
Part of subcall function 00E1D4D9: OffsetRect.USER32(?,00000000,00000000), ref: 00E1D538

Strings

!, xrefs: 00E2EF7B, 00E2EF80
!, xrefs: 00E2EFB9

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Empty$ClientOffset
String ID: !$!
API String ID: 2342594873-1572258622
Opcode ID: 4bd90ac72df5e9b65bac6de2e37bf325f88d77265b950b17fe265dc4750ef14b
Instruction ID: 2b89845cbf534714af18077e4bc347fc55414e9ac0adbe56e310ef819ceb59af
Opcode Fuzzy Hash: 4bd90ac72df5e9b65bac6de2e37bf325f88d77265b950b17fe265dc4750ef14b
Instruction Fuzzy Hash: 8A618971D0061EDBCB00DF95E5495EEBFF4FF08310F6240A9D984B6255DB329A65CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E32103 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E3210A
_wcsrchr.LIBVCRUNTIME ref: 00E32243

Strings

:/\, xrefs: 00E32194

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_wcsrchr
String ID: :/\
API String ID: 3614732858-2793184486
Opcode ID: 5f00922bdb5af845aa5ddae7be050a224334baa11e0ab7ba6060524eef295da2
Instruction ID: 0d68b7a48ac6f324fcf0bb8c288fd7a5dfe621f7fc4e1d646e10abcff142dea4
Opcode Fuzzy Hash: 5f00922bdb5af845aa5ddae7be050a224334baa11e0ab7ba6060524eef295da2
Instruction Fuzzy Hash: A4515E71A002099FDB04EFA4C999BEEB7F8BF48300F14156DE511B72D2DB749944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E425 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?,?,0000000A,System,00E3E609,System,?,?,?,00000000), ref: 00E3E43F
GlobalUnlock.KERNEL32(00000000), ref: 00E3E557

Strings

System, xrefs: 00E3E42D

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Global$LockUnlock
String ID: System
API String ID: 2502338518-3470857405
Opcode ID: 67c5463078b006245fa2b2d411db9c54b4df1b4946d40fa593f0bffe1887bc4e
Instruction ID: 72426a879d654be2ae22c4cd64a5cd365fe5bd92abcd3a78d5921a4f37596f52
Opcode Fuzzy Hash: 67c5463078b006245fa2b2d411db9c54b4df1b4946d40fa593f0bffe1887bc4e
Instruction Fuzzy Hash: 0941927190011AAFDB24DFA8C8499BEBBF5FF04358F109569E425F7291E734AE44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E63CB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 00E63DCD: _free.LIBCMT ref: 00E63E2D

Part of subcall function 00E63A44: GetOEMCP.KERNEL32(00000000), ref: 00E63A6F

_free.LIBCMT ref: 00E63D2A
_free.LIBCMT ref: 00E63D60

Strings

xxH, xrefs: 00E63DC3

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID: xxH
API String ID: 269201875-977459878
Opcode ID: aa41fbd97e6dcd717b2f9894ee05ee3f7246a1ec5997b20b581bc14a9c36d614
Instruction ID: 3914e323ebd14178b6581e1f12b2f0ef11edba9ec9614124941452950013f16e
Opcode Fuzzy Hash: aa41fbd97e6dcd717b2f9894ee05ee3f7246a1ec5997b20b581bc14a9c36d614
Instruction Fuzzy Hash: 29310671904249AFCB10DF68E840BDE7BF4FF45354F11145AF910AB2A1EB329E10CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E65A88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00E65CE3,?,00000050,?,?,?,?,?), ref: 00E65B63

Strings

OCP, xrefs: 00E65ADC
ACP, xrefs: 00E65AA6

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: d35f23c915ff72665a5f478d2b49fd46c6149174c575072be586d79e3fa031e8
Instruction ID: db20ace18c9d74ed47979d7deea5a2c60b72fed53554d0144f6220b471b7ed3c
Opcode Fuzzy Hash: d35f23c915ff72665a5f478d2b49fd46c6149174c575072be586d79e3fa031e8
Instruction Fuzzy Hash: BA21D663B80A00A6D7349F54ED41BA7B396EF54BD4F5A5625E909F7101F732DD40C350

Uniqueness

Uniqueness Score: -1.00%

Function 00E27CC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E27B84: RegCloseKey.ADVAPI32(00000000,?,?,?,?,00E279B3,?,00000000), ref: 00E27BC9

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000003,?,?,?,00000000), ref: 00E27CF4
RegCloseKey.ADVAPI32(00000000), ref: 00E27CFD

Strings

A, xrefs: 00E27D3B

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: Close$Value
String ID: A
API String ID: 299128501-3554254475
Opcode ID: 4bc3c485636c6fde7192dac4ab36fde45cc4ce339ec483094867c707a65ff688
Instruction ID: 9f1c0cb7454ef2a7afb4bf87189d1658a1afdb2cfe0fd5935789072aafad287c
Opcode Fuzzy Hash: 4bc3c485636c6fde7192dac4ab36fde45cc4ce339ec483094867c707a65ff688
Instruction Fuzzy Hash: 0B21F236200225ABCF159F65EC45AFF7BB9EF4A350F04502AFC49AB251DA75CC41D760

Uniqueness

Uniqueness Score: -1.00%

Function 00E2EDE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00E2EDFD
IsChild.USER32(?,?), ref: 00E2EE19

Strings

4&, xrefs: 00E2EE32

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ChildWindow
String ID: 4&
API String ID: 3555343667-1676276578
Opcode ID: 682347e6d140cf2fb8fa0fe4c41f1409c405d9b8f774b3b6c40a5cd94510bddd
Instruction ID: a769dd653bbdbd4869f76cf1594a0b1140e4d02bba1d13d31da13e968f475361
Opcode Fuzzy Hash: 682347e6d140cf2fb8fa0fe4c41f1409c405d9b8f774b3b6c40a5cd94510bddd
Instruction Fuzzy Hash: 9D11CE723002356B9B20ABBAAC91D7F73EC9F95B487052038F906F2251FA60DD0582B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E55574 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(00E54F67,?,?,00000000,00000000), ref: 00E555F4

Strings

./\, xrefs: 00E5558D
gO, xrefs: 00E55576

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: DriveType
String ID: ./\$gO
API String ID: 338552980-1752363115
Opcode ID: 23df09cdb20e4fb43135f81701203c7d1ca568b74ba49f9949db1e6066755823
Instruction ID: 5f8a508d5f854ffe2c9c61cd4df623a9b51b371db3b91ed4fa530f72b7bf796c
Opcode Fuzzy Hash: 23df09cdb20e4fb43135f81701203c7d1ca568b74ba49f9949db1e6066755823
Instruction Fuzzy Hash: CE119C366006086BDB14AF64DCA55FF73E8EF86315F9418A9ED0577181EAB05E8E8640

Uniqueness

Uniqueness Score: -1.00%

Function 00E4AA9B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E4AAC9
_free.LIBCMT ref: 00E4AAEF

Strings

l, xrefs: 00E4AB08

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID: l
API String ID: 269201875-1854719717
Opcode ID: 006c83560e400caf901cc4289af2b8981d14c693af888e4f78412cd8212c7205
Instruction ID: 98b88d87c44affd522060caf6d79dbbb4114fc8c1f63e4a0dea64c58fed900e6
Opcode Fuzzy Hash: 006c83560e400caf901cc4289af2b8981d14c693af888e4f78412cd8212c7205
Instruction Fuzzy Hash: AB11B171A803004ED7345B29BC4AB173396A755734F182B36E930FB2E1E3B0E94A8681

Uniqueness

Uniqueness Score: -1.00%

Function 00E13080 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

_strstr.LIBCMT ref: 00E130AD
_strstr.LIBCMT ref: 00E130BD

Strings

c:\rhub2\pcsetup\pcsetup.cpp, xrefs: 00E13082

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _strstr
String ID: c:\rhub2\pcsetup\pcsetup.cpp
API String ID: 2882301372-158182345
Opcode ID: 2f94966675e251f15210b8c43a4b1ffefe2f979a24a0de6232a18e4782300b86
Instruction ID: b685237338fb45090f543653c88a1cb565728ce97b0bb4473d4c3a821771f199
Opcode Fuzzy Hash: 2f94966675e251f15210b8c43a4b1ffefe2f979a24a0de6232a18e4782300b86
Instruction Fuzzy Hash: 8F0126362043160BE6208DB46881BE7B7CCCA95755F04107CFC8567101DB929E8A46B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E5CF02 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E5CF52
_free.LIBCMT ref: 00E5CF86

Strings

Pn, xrefs: 00E5CF79

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID: Pn
API String ID: 269201875-1375425085
Opcode ID: 10054aeb001a5d7c3fe503c6fdfe74340a058d9ae9e9863e66324d3a33a539da
Instruction ID: 729711212576b68e3ebdc14d9d3ea78e7c16e5378103148eed8efc64c1a3cdff
Opcode Fuzzy Hash: 10054aeb001a5d7c3fe503c6fdfe74340a058d9ae9e9863e66324d3a33a539da
Instruction Fuzzy Hash: 3D01F125A4D3222E8A312374AC12A6F22CB9B26763F342E20BE34BA0D1D9519C1D51F2

Uniqueness

Uniqueness Score: -1.00%

Function 00E154F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

_strstr.LIBCMT ref: 00E154FC
_strstr.LIBCMT ref: 00E15510

Strings

%3F, xrefs: 00E1550A

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: _strstr
String ID: %3F
API String ID: 2882301372-2853428364
Opcode ID: c6a3054798f3a33e3877dd777167fe41ebcd1e20ac3febb51a3dab8483b47d41
Instruction ID: 53364bc918c0556989413e5bd19f48c880318db6c44cacf54850e8ffff20598c
Opcode Fuzzy Hash: c6a3054798f3a33e3877dd777167fe41ebcd1e20ac3febb51a3dab8483b47d41
Instruction Fuzzy Hash: C5F050371046519ACE2199687C049CB2FD68ED1364F05146DF48437201D665594783F2

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E804 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E3E80B

Strings

tG, xrefs: 00E3E816, 00E3E852, 00E3E831, 00E3E841, 00E3E847
tG, xrefs: 00E3E844

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3
String ID: tG$tG
API String ID: 431132790-276734821
Opcode ID: 1080f626e605fd5ae4e5b6b1703f85e9985ee348646c3af0c4ba9979a0ebce19
Instruction ID: 582ebc1aff6b90754deeb65b85a7ca8470bd3f883b620025c135b0a1ef003f37
Opcode Fuzzy Hash: 1080f626e605fd5ae4e5b6b1703f85e9985ee348646c3af0c4ba9979a0ebce19
Instruction Fuzzy Hash: F2F03A7190111AAACF05FFA0DC06AAE7BB8BF10354F086818F915762D1DF719910DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E23A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(?,g), ref: 00E23A8B
LoadIconW.USER32(00000000,00007F00), ref: 00E23A9E

Strings

g, xrefs: 00E23A85, 00E23A89

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: IconLoad
String ID: g
API String ID: 2457776203-1037297435
Opcode ID: 6746c69ed25f39b4ccde54491c35783c32adc93cc4702d7631bb53953d85c9dd
Instruction ID: 48d23caed3c62759781adac53c848a462d3deeb10ef40a5c066efaed2584a3ca
Opcode Fuzzy Hash: 6746c69ed25f39b4ccde54491c35783c32adc93cc4702d7631bb53953d85c9dd
Instruction Fuzzy Hash: 3BE09A71500724AFCB20EFA9EC048BBB7ECEF08710700442AFC49E7211DA34E940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E0E4D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,TMSetupWindow,00000000,00E08130,904898A6,?,?,00E0176D,?,?,00000000,00001000), ref: 00E0E4E6
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,00E0176D,?,?,00000000,00001000), ref: 00E0E4F7

Strings

TMSetupWindow, xrefs: 00E0E4D1

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CreateEvent
String ID: TMSetupWindow
API String ID: 2692171526-637819172
Opcode ID: 15a95d14904376c57eec7152cfcac89ed67438d6b3f5d97203b73e65a91b0a10
Instruction ID: 2e350a694712ef49e1b494a9a11abe9c22beeddca389226ff4908ec86231ebbc
Opcode Fuzzy Hash: 15a95d14904376c57eec7152cfcac89ed67438d6b3f5d97203b73e65a91b0a10
Instruction Fuzzy Hash: 23E01AB0380301BEE3148F16DC0AB02FAA0AB84B10F20851AF204AE6C0D7F1A4948B94

Uniqueness

Uniqueness Score: -1.00%

Function 00E4518A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E0156F: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E451B9,?,?,?,00E012B2), ref: 00E01574
Part of subcall function 00E0156F: GetLastError.KERNEL32(?,00E451B9,?,?,?,00E012B2), ref: 00E0157E

IsDebuggerPresent.KERNEL32(?,?,?,00E012B2), ref: 00E451BD
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E012B2), ref: 00E451CC

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E451C7

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 450123788-631824599
Opcode ID: 3b4a964da20da59986572f64068abb6b8aefb3d4ed873d776fdc5c8ef09169bb
Instruction ID: 59f7ee9ad888d48b5fe9e9337c680b12c368a268278578b7917bfde20e95f42b
Opcode Fuzzy Hash: 3b4a964da20da59986572f64068abb6b8aefb3d4ed873d776fdc5c8ef09169bb
Instruction Fuzzy Hash: AAE06D72200B418FD320EF69F8047467AE4AF45744F00995DE89AFB752EBB1E48CCB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E453D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E453E3

Part of subcall function 00E4533D: std::exception::exception.LIBCONCRT ref: 00E4534A

__CxxThrowException@8.LIBVCRUNTIME ref: 00E453F1

Part of subcall function 00E47B17: RaiseException.KERNEL32(?,?,00E453D6,?,?,?,?,?,?,?,?,00E453D6,?,00E9D10C,?), ref: 00E47B77

Strings

Unknown exception, xrefs: 00E453FE

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
String ID: Unknown exception
API String ID: 1586462112-410509341
Opcode ID: d8227236c44e0bd92f5d48738c35f52caf09397bc066a19d8d628846f74c656a
Instruction ID: dcdba17e05bde3799562759f4bca2f5ba6e6ab0271696d2892137bae24b54a45
Opcode Fuzzy Hash: d8227236c44e0bd92f5d48738c35f52caf09397bc066a19d8d628846f74c656a
Instruction Fuzzy Hash: 14D0A736E0470877CF00FAA4E806D8C77AC9E00780B909860B914F7142F7B1E91687C0

Uniqueness

Uniqueness Score: -1.00%

Function 00E67314 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,00000000,00000000,?,00000000), ref: 00E673AA
GetLastError.KERNEL32 ref: 00E673B8
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 00E67413

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: a46a8f47f3b9727d8a0408f2aa0c485e0cbcc1607ec3b8984555cc87f16d66fe
Instruction ID: a66147402e877288eaac86fbef7923ab071927a5b16f07619d4539f3cafff1fc
Opcode Fuzzy Hash: a46a8f47f3b9727d8a0408f2aa0c485e0cbcc1607ec3b8984555cc87f16d66fe
Instruction Fuzzy Hash: 2D410A30648255AFCF21CF65E848ABA7FA4EF413ACF145158E8E977192DB308D01D761

Uniqueness

Uniqueness Score: -1.00%

Function 00E2D0B1 Relevance: 5.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000001,00000000,00000010,?,?,00000000), ref: 00E2D12C
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000), ref: 00E2D13F
LocalFree.KERNEL32(?,?,?,00000000), ref: 00E2D148
TlsSetValue.KERNEL32(?,00000000,?,?,00000000), ref: 00E2D164

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 9ea08fe5ea169aee703b00735ccc2b3d171a7af2b718826b850e933e5d6d3702
Instruction ID: f80e8f0a38f91a2cac4a1574020372fcdf67b8fc52e6dab4e9751a45a96b505f
Opcode Fuzzy Hash: 9ea08fe5ea169aee703b00735ccc2b3d171a7af2b718826b850e933e5d6d3702
Instruction Fuzzy Hash: 99218E35A00228EFCB14DF59EC84A9DBBB5FF49315F148159EA06AB261C731ED92CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E2DE19 Relevance: 5.0, APIs: 4, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00EAF9A0,00000000,?,?,?,00E2D261,00000010,00000008,00E1DE06,00E1DE49,00E1DEA6,00E25C04,904898A6), ref: 00E2DE4A
InitializeCriticalSection.KERNEL32(00000000,?,?,?,00E2D261,00000010,00000008,00E1DE06,00E1DE49,00E1DEA6,00E25C04,904898A6), ref: 00E2DE60
LeaveCriticalSection.KERNEL32(00EAF9A0,?,?,?,00E2D261,00000010,00000008,00E1DE06,00E1DE49,00E1DEA6,00E25C04,904898A6), ref: 00E2DE6E
EnterCriticalSection.KERNEL32(00000000,?,?,?,00E2D261,00000010,00000008,00E1DE06,00E1DE49,00E1DEA6,00E25C04,904898A6), ref: 00E2DE7B

Part of subcall function 00E2DDB0: InitializeCriticalSection.KERNEL32(00EAF9A0,00E2DE34,?,?,?,00E2D261,00000010,00000008,00E1DE06,00E1DE49,00E1DEA6,00E25C04,904898A6), ref: 00E2DDC8

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: bebb9b9d52f92ec93bc1e0f9f97baad6e324cb042491113cc6e45937a2242b2b
Instruction ID: 97545ae3bcff12964aa5adea95000ebf2aacc0b22276aa543b03c8ba20273a75
Opcode Fuzzy Hash: bebb9b9d52f92ec93bc1e0f9f97baad6e324cb042491113cc6e45937a2242b2b
Instruction Fuzzy Hash: ECF09C73900224BFCA106BD6FC0DB5A766CEF9E322F856421F645B6062C734D446C696

Uniqueness

Uniqueness Score: -1.00%

Function 00E2D35C Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000001C,?,?,00000000,?,00E2D33F,00000000,00000004,00E1DDEC,00E1DEA6,00E25C04,904898A6), ref: 00E2D368
TlsGetValue.KERNEL32(00000000,?,?,00000000,?,00E2D33F,00000000,00000004,00E1DDEC,00E1DEA6,00E25C04,904898A6), ref: 00E2D37C
LeaveCriticalSection.KERNEL32(0000001C,?,?,00000000,?,00E2D33F,00000000,00000004,00E1DDEC,00E1DEA6,00E25C04,904898A6), ref: 00E2D396
LeaveCriticalSection.KERNEL32(0000001C,?,?,00000000,?,00E2D33F,00000000,00000004,00E1DDEC,00E1DEA6,00E25C04,904898A6), ref: 00E2D3A1

Memory Dump Source

Source File: 00000000.00000002.1476925615.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1476906068.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476961743.0000000000E79000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476983318.0000000000EA1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1476997541.0000000000EA6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477010902.0000000000EA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477023099.0000000000EAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1477058529.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 89409e10f04352deb2afde481aca2bb44e6d86876d6edd1f603887708858acdf
Instruction ID: 762fbd7f6ebb73f2be081a960b25de917e1ff075fed17ac1e3547ebdd3181827
Opcode Fuzzy Hash: 89409e10f04352deb2afde481aca2bb44e6d86876d6edd1f603887708858acdf
Instruction Fuzzy Hash: 04F09076304624AFCB10EB26EC849DAB7A8EF487603555015E90AB7222C631EC458AE2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: TMLauncher.exePID: 7312, Parent PID: 3624COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	55

Executed Functions

Function 00CB4100 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 209fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB6390: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000136,00000136,00CA2639,?,?,00000200,?,%s\%s,?,version.txt,Utility::GetUserDirectory(),00000000), ref: 00CB63AA

FindFirstFileW.KERNELBASE(?,?,?,00D127A8,?,%s\%s,?,?,?,?,?,?,?,00000000), ref: 00CB4177
RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CB41A2
SetFileAttributesW.KERNELBASE(?,?), ref: 00CB42A2
_strstr.LIBCMT ref: 00CB42C7
DeleteFileW.KERNELBASE(?), ref: 00CB42E0
FindNextFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?), ref: 00CB42EC
FindClose.KERNEL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00CB42FB

Strings

c:\rhub2\code\utility\utility.cpp, xrefs: 00CB438A
%s\%s, xrefs: 00CB426A
Utility::RemoveAllFile, xrefs: 00CB4391
%s\*, xrefs: 00CB4142
End of RemoveAllFile: path = %s, %s, error code: %d, error: %s, xrefs: 00CB4380

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: File$Find$AttributesByteCharCloseDeleteDirectoryFirstMultiNextRemoveWide_strstr
String ID: %s\%s$%s\*$End of RemoveAllFile: path = %s, %s, error code: %d, error: %s$Utility::RemoveAllFile$c:\rhub2\code\utility\utility.cpp
API String ID: 2053179335-2006491347
Opcode ID: bfd6d4b540db4749e6e881100eb81af914e3e13471a86a52beee189a20743845
Instruction ID: 46954af84325fb9fa7e7606043650cc103fb2c439297f42b80bd5e433e206bc9
Opcode Fuzzy Hash: bfd6d4b540db4749e6e881100eb81af914e3e13471a86a52beee189a20743845
Instruction Fuzzy Hash: 8361F1B2548344BAE724EB64DC46FEB73EDEB68304F440829F655C2192EB31E684D762

Uniqueness

Uniqueness Score: -1.00%

Function 00CA2353 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CAF930: EnterCriticalSection.KERNEL32(?,A2E85FC4), ref: 00CAF981
Part of subcall function 00CAF930: LeaveCriticalSection.KERNEL32(?), ref: 00CAF9CF

_strstr.LIBCMT ref: 00CA24DC

Strings

TurboMeeting, xrefs: 00CA2980
c:\rhub2\code\pcinstaller\pcinstaller.cpp, xrefs: 00CA24B6, 00CA2528, 00CA2555, 00CA25ED, 00CA26F3, 00CA294F, 00CA29A7, 00CA2A25
m_sStartMenuDirectory = %s, xrefs: 00CA25E3
version.txt, xrefs: 00CA2604
LoadDictionary failed, m_sCurrentDirectory = %s, xrefs: 00CA2A1B
of PCInstaller, xrefs: 00CA27B5
PCInstaller:Instialize(), xrefs: 00CA26FA
PCInstaller:Initialize(), xrefs: 00CA24BD, 00CA252F, 00CA2A2C
g_oTranslator->m_sDirectory = %s, xrefs: 00CA2945
V5.0 SP1, xrefs: 00CA2764
:, xrefs: 00CA2772
m_uIdentity.m_sClientName = %s, xrefs: 00CA251E, 00CA254B
w<, xrefs: 00CA2744
Utility::GetUserDirectory(), xrefs: 00CA255C, 00CA25F4, 00CA2956, 00CA29AE
Failed to open the dictionary file, xrefs: 00CA2A08
%s\dictionary_client_ENG.tmd, xrefs: 00CA2919
--client_name, xrefs: 00CA24D6
%s\%s, xrefs: 00CA2616, 00CA2989
Try a different one: g_oTranslator->m_sDirectory = %s, xrefs: 00CA299D
client, xrefs: 00CA29D6
Version is %s, sVersionFileName %s, xrefs: 00CA2671
Error, xrefs: 00CA2A03

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: CriticalSection$EnterLeave_strstr
String ID: of PCInstaller$%s\%s$%s\dictionary_client_ENG.tmd$--client_name$Error$Failed to open the dictionary file$LoadDictionary failed, m_sCurrentDirectory = %s$PCInstaller:Initialize()$PCInstaller:Instialize()$Try a different one: g_oTranslator->m_sDirectory = %s$TurboMeeting$Utility::GetUserDirectory()$V5.0 SP1$Version is %s, sVersionFileName %s$c:\rhub2\code\pcinstaller\pcinstaller.cpp$client$g_oTranslator->m_sDirectory = %s$m_sStartMenuDirectory = %s$m_uIdentity.m_sClientName = %s$version.txt$w<$:
API String ID: 151139275-1809635399
Opcode ID: caf57b1029bbc4a098f67b82252c62c407beda2cd4db5fc7b83beca7e260ed0d
Instruction ID: 48febd5953b555de283b5c158bf751ef6bd54fb5cc53980bae59026b82bda5e6
Opcode Fuzzy Hash: caf57b1029bbc4a098f67b82252c62c407beda2cd4db5fc7b83beca7e260ed0d
Instruction Fuzzy Hash: 19D17631A41319BEDB14DB64DC02FEABB74BF06304F044198F518A76D2DBB25BD59BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA2384 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CAF930: EnterCriticalSection.KERNEL32(?,A2E85FC4), ref: 00CAF981
Part of subcall function 00CAF930: LeaveCriticalSection.KERNEL32(?), ref: 00CAF9CF

_strstr.LIBCMT ref: 00CA24DC

Strings

TurboMeeting, xrefs: 00CA2980
c:\rhub2\code\pcinstaller\pcinstaller.cpp, xrefs: 00CA24B6, 00CA2528, 00CA2555, 00CA25ED, 00CA26F3, 00CA294F, 00CA29A7, 00CA2A25
m_sStartMenuDirectory = %s, xrefs: 00CA25E3
version.txt, xrefs: 00CA2604
LoadDictionary failed, m_sCurrentDirectory = %s, xrefs: 00CA2A1B
of PCInstaller, xrefs: 00CA27B5
PCInstaller:Instialize(), xrefs: 00CA26FA
PCInstaller:Initialize(), xrefs: 00CA24BD, 00CA252F, 00CA2A2C
g_oTranslator->m_sDirectory = %s, xrefs: 00CA2945
V5.0 SP1, xrefs: 00CA2764
:, xrefs: 00CA2772
m_uIdentity.m_sClientName = %s, xrefs: 00CA251E, 00CA254B
w<, xrefs: 00CA2744
Utility::GetUserDirectory(), xrefs: 00CA255C, 00CA25F4, 00CA2956, 00CA29AE
Failed to open the dictionary file, xrefs: 00CA2A08
%s\dictionary_client_ENG.tmd, xrefs: 00CA2919
--client_name, xrefs: 00CA24D6
%s\%s, xrefs: 00CA2616, 00CA2989
Try a different one: g_oTranslator->m_sDirectory = %s, xrefs: 00CA299D
client, xrefs: 00CA29D6
Version is %s, sVersionFileName %s, xrefs: 00CA2671
Error, xrefs: 00CA2A03

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: CriticalSection$EnterLeave_strstr
String ID: of PCInstaller$%s\%s$%s\dictionary_client_ENG.tmd$--client_name$Error$Failed to open the dictionary file$LoadDictionary failed, m_sCurrentDirectory = %s$PCInstaller:Initialize()$PCInstaller:Instialize()$Try a different one: g_oTranslator->m_sDirectory = %s$TurboMeeting$Utility::GetUserDirectory()$V5.0 SP1$Version is %s, sVersionFileName %s$c:\rhub2\code\pcinstaller\pcinstaller.cpp$client$g_oTranslator->m_sDirectory = %s$m_sStartMenuDirectory = %s$m_uIdentity.m_sClientName = %s$version.txt$w<$:
API String ID: 151139275-1809635399
Opcode ID: 8d2488407d0a9976bcca64797b088dc6a1f8929d77be72aba992b9f1ee2bfc16
Instruction ID: 4a9dd028368f0d0c7535704fcfdc4bc341f878166e0c859195f293a38698a87b
Opcode Fuzzy Hash: 8d2488407d0a9976bcca64797b088dc6a1f8929d77be72aba992b9f1ee2bfc16
Instruction Fuzzy Hash: 4FD16531A41319BEDB10DB64DC02FEABB74BF06304F044198F519A76D2DBB26BD59BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA23B5 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CAF930: EnterCriticalSection.KERNEL32(?,A2E85FC4), ref: 00CAF981
Part of subcall function 00CAF930: LeaveCriticalSection.KERNEL32(?), ref: 00CAF9CF

_strstr.LIBCMT ref: 00CA24DC

Strings

TurboMeeting, xrefs: 00CA2980
c:\rhub2\code\pcinstaller\pcinstaller.cpp, xrefs: 00CA24B6, 00CA2528, 00CA2555, 00CA25ED, 00CA26F3, 00CA294F, 00CA29A7, 00CA2A25
m_sStartMenuDirectory = %s, xrefs: 00CA25E3
version.txt, xrefs: 00CA2604
LoadDictionary failed, m_sCurrentDirectory = %s, xrefs: 00CA2A1B
of PCInstaller, xrefs: 00CA27B5
PCInstaller:Instialize(), xrefs: 00CA26FA
PCInstaller:Initialize(), xrefs: 00CA24BD, 00CA252F, 00CA2A2C
g_oTranslator->m_sDirectory = %s, xrefs: 00CA2945
V5.0 SP1, xrefs: 00CA2764
:, xrefs: 00CA2772
m_uIdentity.m_sClientName = %s, xrefs: 00CA251E, 00CA254B
w<, xrefs: 00CA2744
Utility::GetUserDirectory(), xrefs: 00CA255C, 00CA25F4, 00CA2956, 00CA29AE
Failed to open the dictionary file, xrefs: 00CA2A08
%s\dictionary_client_ENG.tmd, xrefs: 00CA2919
--client_name, xrefs: 00CA24D6
%s\%s, xrefs: 00CA2616, 00CA2989
Try a different one: g_oTranslator->m_sDirectory = %s, xrefs: 00CA299D
client, xrefs: 00CA29D6
Version is %s, sVersionFileName %s, xrefs: 00CA2671
Error, xrefs: 00CA2A03

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: CriticalSection$EnterLeave_strstr
String ID: of PCInstaller$%s\%s$%s\dictionary_client_ENG.tmd$--client_name$Error$Failed to open the dictionary file$LoadDictionary failed, m_sCurrentDirectory = %s$PCInstaller:Initialize()$PCInstaller:Instialize()$Try a different one: g_oTranslator->m_sDirectory = %s$TurboMeeting$Utility::GetUserDirectory()$V5.0 SP1$Version is %s, sVersionFileName %s$c:\rhub2\code\pcinstaller\pcinstaller.cpp$client$g_oTranslator->m_sDirectory = %s$m_sStartMenuDirectory = %s$m_uIdentity.m_sClientName = %s$version.txt$w<$:
API String ID: 151139275-1809635399
Opcode ID: e7fde1bd83495333d77def4b5bad5e5179344c282a7200fe997116dcc356978e
Instruction ID: 51a0ca1f809d879cc4b2b54fa43446fab87833209deb3545f3b114bb50d8cced
Opcode Fuzzy Hash: e7fde1bd83495333d77def4b5bad5e5179344c282a7200fe997116dcc356978e
Instruction Fuzzy Hash: CED16431A41319BEDB10DB64DC02FEABB74BF06304F044198F519A72D2DBB26BD59BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA2448 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CAF930: EnterCriticalSection.KERNEL32(?,A2E85FC4), ref: 00CAF981
Part of subcall function 00CAF930: LeaveCriticalSection.KERNEL32(?), ref: 00CAF9CF

_strstr.LIBCMT ref: 00CA24DC

Strings

TurboMeeting, xrefs: 00CA2980
c:\rhub2\code\pcinstaller\pcinstaller.cpp, xrefs: 00CA24B6, 00CA2528, 00CA2555, 00CA25ED, 00CA26F3, 00CA294F, 00CA29A7, 00CA2A25
m_sStartMenuDirectory = %s, xrefs: 00CA25E3
version.txt, xrefs: 00CA2604
LoadDictionary failed, m_sCurrentDirectory = %s, xrefs: 00CA2A1B
of PCInstaller, xrefs: 00CA27B5
PCInstaller:Instialize(), xrefs: 00CA26FA
PCInstaller:Initialize(), xrefs: 00CA24BD, 00CA252F, 00CA2A2C
g_oTranslator->m_sDirectory = %s, xrefs: 00CA2945
V5.0 SP1, xrefs: 00CA2764
:, xrefs: 00CA2772
m_uIdentity.m_sClientName = %s, xrefs: 00CA251E, 00CA254B
w<, xrefs: 00CA2744
Utility::GetUserDirectory(), xrefs: 00CA255C, 00CA25F4, 00CA2956, 00CA29AE
Failed to open the dictionary file, xrefs: 00CA2A08
%s\dictionary_client_ENG.tmd, xrefs: 00CA2919
--client_name, xrefs: 00CA24D6
%s\%s, xrefs: 00CA2616, 00CA2989
Try a different one: g_oTranslator->m_sDirectory = %s, xrefs: 00CA299D
client, xrefs: 00CA29D6
Version is %s, sVersionFileName %s, xrefs: 00CA2671
Error, xrefs: 00CA2A03

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: CriticalSection$EnterLeave_strstr
String ID: of PCInstaller$%s\%s$%s\dictionary_client_ENG.tmd$--client_name$Error$Failed to open the dictionary file$LoadDictionary failed, m_sCurrentDirectory = %s$PCInstaller:Initialize()$PCInstaller:Instialize()$Try a different one: g_oTranslator->m_sDirectory = %s$TurboMeeting$Utility::GetUserDirectory()$V5.0 SP1$Version is %s, sVersionFileName %s$c:\rhub2\code\pcinstaller\pcinstaller.cpp$client$g_oTranslator->m_sDirectory = %s$m_sStartMenuDirectory = %s$m_uIdentity.m_sClientName = %s$version.txt$w<$:
API String ID: 151139275-1809635399
Opcode ID: 9407a9bd4af04ff53f3e9590fd0ea1061780f00aa413d2a58d0db8ec16268e43
Instruction ID: 9a473239821bf66372eaca4c56aab654e7ccfebe9d8b17c16f26f4afd60c88cb
Opcode Fuzzy Hash: 9407a9bd4af04ff53f3e9590fd0ea1061780f00aa413d2a58d0db8ec16268e43
Instruction Fuzzy Hash: 47D15431A41319BEDB14DB64DC02FEABB74BF06304F044198F519A72D2DBB26BD59BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA2417 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CAF930: EnterCriticalSection.KERNEL32(?,A2E85FC4), ref: 00CAF981
Part of subcall function 00CAF930: LeaveCriticalSection.KERNEL32(?), ref: 00CAF9CF

_strstr.LIBCMT ref: 00CA24DC

Strings

TurboMeeting, xrefs: 00CA2980
c:\rhub2\code\pcinstaller\pcinstaller.cpp, xrefs: 00CA24B6, 00CA2528, 00CA2555, 00CA25ED, 00CA26F3, 00CA294F, 00CA29A7, 00CA2A25
m_sStartMenuDirectory = %s, xrefs: 00CA25E3
version.txt, xrefs: 00CA2604
LoadDictionary failed, m_sCurrentDirectory = %s, xrefs: 00CA2A1B
of PCInstaller, xrefs: 00CA27B5
PCInstaller:Instialize(), xrefs: 00CA26FA
PCInstaller:Initialize(), xrefs: 00CA24BD, 00CA252F, 00CA2A2C
g_oTranslator->m_sDirectory = %s, xrefs: 00CA2945
V5.0 SP1, xrefs: 00CA2764
:, xrefs: 00CA2772
m_uIdentity.m_sClientName = %s, xrefs: 00CA251E, 00CA254B
w<, xrefs: 00CA2744
Utility::GetUserDirectory(), xrefs: 00CA255C, 00CA25F4, 00CA2956, 00CA29AE
Failed to open the dictionary file, xrefs: 00CA2A08
%s\dictionary_client_ENG.tmd, xrefs: 00CA2919
--client_name, xrefs: 00CA24D6
%s\%s, xrefs: 00CA2616, 00CA2989
Try a different one: g_oTranslator->m_sDirectory = %s, xrefs: 00CA299D
client, xrefs: 00CA29D6
Version is %s, sVersionFileName %s, xrefs: 00CA2671
Error, xrefs: 00CA2A03

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: CriticalSection$EnterLeave_strstr
String ID: of PCInstaller$%s\%s$%s\dictionary_client_ENG.tmd$--client_name$Error$Failed to open the dictionary file$LoadDictionary failed, m_sCurrentDirectory = %s$PCInstaller:Initialize()$PCInstaller:Instialize()$Try a different one: g_oTranslator->m_sDirectory = %s$TurboMeeting$Utility::GetUserDirectory()$V5.0 SP1$Version is %s, sVersionFileName %s$c:\rhub2\code\pcinstaller\pcinstaller.cpp$client$g_oTranslator->m_sDirectory = %s$m_sStartMenuDirectory = %s$m_uIdentity.m_sClientName = %s$version.txt$w<$:
API String ID: 151139275-1809635399
Opcode ID: a66b295bd8898bb1a9f3e3c2789982d3792d27430e332ada1daf19837adb7dd2
Instruction ID: 1147772a877eecd90655308037283ce712b7e3fa2ec5305cb84a975b9a172f97
Opcode Fuzzy Hash: a66b295bd8898bb1a9f3e3c2789982d3792d27430e332ada1daf19837adb7dd2
Instruction Fuzzy Hash: 61D16431A41319BEDB10DB64DC02FEABB74BF06304F044198F519A72D2DBB25BD59BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CA23EE Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 330
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CAF930: EnterCriticalSection.KERNEL32(?,A2E85FC4), ref: 00CAF981
Part of subcall function 00CAF930: LeaveCriticalSection.KERNEL32(?), ref: 00CAF9CF

_strstr.LIBCMT ref: 00CA24DC

Strings

TurboMeeting, xrefs: 00CA2980
c:\rhub2\code\pcinstaller\pcinstaller.cpp, xrefs: 00CA24B6, 00CA2528, 00CA2555, 00CA25ED, 00CA26F3, 00CA294F, 00CA29A7, 00CA2A25
m_sStartMenuDirectory = %s, xrefs: 00CA25E3
version.txt, xrefs: 00CA2604
LoadDictionary failed, m_sCurrentDirectory = %s, xrefs: 00CA2A1B
of PCInstaller, xrefs: 00CA27B5
PCInstaller:Instialize(), xrefs: 00CA26FA
PCInstaller:Initialize(), xrefs: 00CA24BD, 00CA252F, 00CA2A2C
g_oTranslator->m_sDirectory = %s, xrefs: 00CA2945
V5.0 SP1, xrefs: 00CA2764
:, xrefs: 00CA2772
m_uIdentity.m_sClientName = %s, xrefs: 00CA251E, 00CA254B
w<, xrefs: 00CA2744
Utility::GetUserDirectory(), xrefs: 00CA255C, 00CA25F4, 00CA2956, 00CA29AE
Failed to open the dictionary file, xrefs: 00CA2A08
%s\dictionary_client_ENG.tmd, xrefs: 00CA2919
--client_name, xrefs: 00CA24D6
%s\%s, xrefs: 00CA2616, 00CA2989
Try a different one: g_oTranslator->m_sDirectory = %s, xrefs: 00CA299D
client, xrefs: 00CA29D6
Version is %s, sVersionFileName %s, xrefs: 00CA2671
Error, xrefs: 00CA2A03

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: CriticalSection$EnterLeave_strstr
String ID: of PCInstaller$%s\%s$%s\dictionary_client_ENG.tmd$--client_name$Error$Failed to open the dictionary file$LoadDictionary failed, m_sCurrentDirectory = %s$PCInstaller:Initialize()$PCInstaller:Instialize()$Try a different one: g_oTranslator->m_sDirectory = %s$TurboMeeting$Utility::GetUserDirectory()$V5.0 SP1$Version is %s, sVersionFileName %s$c:\rhub2\code\pcinstaller\pcinstaller.cpp$client$g_oTranslator->m_sDirectory = %s$m_sStartMenuDirectory = %s$m_uIdentity.m_sClientName = %s$version.txt$w<$:
API String ID: 151139275-1809635399
Opcode ID: 2e88280af3f198695783b9bde54b04a7c4a3d2ed4b2d0ef86f29f9019fe9f6d8
Instruction ID: 5652eb627b4bd29ccb3fa15202fa9070fb043122e6ac143dd87ba8782582c7ce
Opcode Fuzzy Hash: 2e88280af3f198695783b9bde54b04a7c4a3d2ed4b2d0ef86f29f9019fe9f6d8
Instruction Fuzzy Hash: C5D15431A41319BEDB10DB64DC02FEAB774BF06304F044198F519A72D2DBB26BD59BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CD44C6 Relevance: 15.1, APIs: 10, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000001C,?,?,00000000), ref: 00CD44DB
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,00000000), ref: 00CD4536
GlobalHandle.KERNEL32(00000010), ref: 00CD4540
GlobalUnlock.KERNEL32(00000000,?,?,00000000), ref: 00CD4549
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00CD4563
GlobalLock.KERNEL32(00000000,?,?,00000000), ref: 00CD456E
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00CD45B8
GlobalHandle.KERNEL32(00000010), ref: 00CD45CC
GlobalLock.KERNEL32(00000000,?,?,00000000), ref: 00CD45D3
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00CD45DD

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 7dd25fe401329e1d9eaeda8553f3180a284888fda57864ef063c49093f469f5c
Instruction ID: 6393b139dd542347a49d8fa3bb05c89e208e6915d46a3691aa6487bff5688022
Opcode Fuzzy Hash: 7dd25fe401329e1d9eaeda8553f3180a284888fda57864ef063c49093f469f5c
Instruction Fuzzy Hash: 79417275600304BFDB29DF64E989B997BF9EF84301F00845AF652D7390EB74AA85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB40B0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 31windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Progman,00000000), ref: 00CB40B9
FindWindowExW.USER32(00000000,00000000,SHELLDLL_DefView,00000000), ref: 00CB40CF
FindWindowExW.USER32(00000000,00000000,SysListView32,00000000), ref: 00CB40DB
PostMessageW.USER32(00000000,00000100,00000074,00000000), ref: 00CB40EF
PostMessageW.USER32(00000000,00000101,00000074,00000000), ref: 00CB40FB

Strings

SHELLDLL_DefView, xrefs: 00CB40C7
Progman, xrefs: 00CB40B4
SysListView32, xrefs: 00CB40D3

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: FindWindow$MessagePost
String ID: Progman$SHELLDLL_DefView$SysListView32
API String ID: 3193530299-3679918277
Opcode ID: d0f75e748e4a6db6ea86587306a1fda0513e0b199fed31e533d77243eed925f6
Instruction ID: 0325c0d80bd7334460e5a4342827b3c9e106e59c9f5c42d9a72fae21842eb82a
Opcode Fuzzy Hash: d0f75e748e4a6db6ea86587306a1fda0513e0b199fed31e533d77243eed925f6
Instruction Fuzzy Hash: 47E09A31BC532475F53062616C4BFAA1D199B85F65F254016B705BA2C0CAE8748689B8

Uniqueness

Uniqueness Score: -1.00%

Function 00CD4389 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

TlsFree.KERNELBASE(?,A2E85FC4,?,?,?,00D0E7A9,000000FF), ref: 00CD43D0
GlobalHandle.KERNEL32(00000000), ref: 00CD43DF
GlobalUnlock.KERNEL32(00000000,?,?,?,00D0E7A9,000000FF), ref: 00CD43E8
GlobalFree.KERNEL32(00000000), ref: 00CD43EF
DeleteCriticalSection.KERNEL32(?,A2E85FC4,?,?,?,00D0E7A9,000000FF), ref: 00CD43F9

Part of subcall function 00CD45E9: EnterCriticalSection.KERNEL32(?,00000001,00000000,00000010,?,?,00000000), ref: 00CD4664
Part of subcall function 00CD45E9: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000), ref: 00CD4677
Part of subcall function 00CD45E9: LocalFree.KERNEL32(?,?,?,00000000), ref: 00CD4680
Part of subcall function 00CD45E9: TlsSetValue.KERNEL32(?,00000000,?,?,00000000), ref: 00CD469C

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: c7cec446b41941edadd11d1561a51a499a500c7775637374fcf3181dc9884b77
Instruction ID: 46a6f58c37dd832f55670bb6669e50506bbf964ee7ac487fac57b03e682910de
Opcode Fuzzy Hash: c7cec446b41941edadd11d1561a51a499a500c7775637374fcf3181dc9884b77
Instruction Fuzzy Hash: 59018035604701FFC7159F69ED08B95BBB8FB45720F044226FA21D37A0DB74E951CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CFC0A9 Relevance: 4.7, APIs: 3, Instructions: 170fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CFB83C: GetConsoleOutputCP.KERNEL32(00000010,00CAF6DE,00D3D174), ref: 00CFB884

WriteFile.KERNEL32(02EC84E8,00000010,00000000,00F31A98,00000000,00F31A98,00CAF6DE,00CAF6DE,00CAF6DE,00F31A98,?,?,00CE978F,?,00D348C8,00000010), ref: 00CFC1EF
GetLastError.KERNEL32(?,00CE978F,?,00D348C8,00000010,00CAF6DE), ref: 00CFC1F9
__dosmaperr.LIBCMT ref: 00CFC238

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite__dosmaperr
String ID:
API String ID: 910155933-0
Opcode ID: 26e8f4c60ff003a8a327bf834d319af988c836f30c4f02cd2c0828722a07c259
Instruction ID: 9b44ae544abe10d754f5028cae05dee5f45f09823c67f997e75aaeaf0a28d9a3
Opcode Fuzzy Hash: 26e8f4c60ff003a8a327bf834d319af988c836f30c4f02cd2c0828722a07c259
Instruction Fuzzy Hash: 41510171B0020DABDF519FA8CA85FFEBBB9EF46310F144045E610A7292D730DA51EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CCC3F0 Relevance: 4.6, APIs: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00D1E248,00000000,00000001,00000000), ref: 00CCC435
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000004), ref: 00CCC456
RegCloseKey.ADVAPI32(00000000), ref: 00CCC49A

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 372171994e767e4c849f4d57cf3a90ced29366f16bcb2179b8f438546d7e687a
Instruction ID: aa2bbf449c1ab71615badd41fc781ef375bd1acbfe9f316fa2634c94d535119a
Opcode Fuzzy Hash: 372171994e767e4c849f4d57cf3a90ced29366f16bcb2179b8f438546d7e687a
Instruction Fuzzy Hash: AA213EB2A10209FFEB14CF95CC95BBEB7B8FB11316F10C45CE529A6140E7B4AA44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CCC345 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__snprintf_s.LIBCMT ref: 00CCC387

Part of subcall function 00CCC566: __vsnwprintf_s_l.LEGACY_STDIO_DEFINITIONS ref: 00CCC57B

Strings

LOC, xrefs: 00CCC36A

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: __snprintf_s__vsnwprintf_s_l
String ID: LOC
API String ID: 3877413697-519433814
Opcode ID: 8d79f25a512524550a1cf091aff7549cc1967ded514dacd8694a6ef615e291d7
Instruction ID: e3e9718d9c69de08d6363dc225d9e4db2c24e619f68788d4a9d8d81398e40965
Opcode Fuzzy Hash: 8d79f25a512524550a1cf091aff7549cc1967ded514dacd8694a6ef615e291d7
Instruction Fuzzy Hash: C211C231601208BBCB01ABB4ECD2FED33689B14720F004199F608EB1E2DE70DD44A7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00CCC246 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00CD5FAF: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00CCC26F,00CCB611,00000003,?,00000004,00000000,00CCB611), ref: 00CD5FC1
Part of subcall function 00CD5FAF: GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00CD5FD1
Part of subcall function 00CD5FAF: EncodePointer.KERNEL32(00000000,?,00CCC26F,00CCB611,00000003,?,00000004,00000000,00CCB611), ref: 00CD5FDA
Part of subcall function 00CD5FAF: GetLocaleInfoEx.KERNELBASE(?,00CCC26F,00CCB611,00000003,?,00000004,00000000,00CCB611), ref: 00CD6008

__snprintf_s.LIBCMT ref: 00CCC2A3

Part of subcall function 00CCC566: __vsnwprintf_s_l.LEGACY_STDIO_DEFINITIONS ref: 00CCC57B

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: AddressEncodeHandleInfoLocaleModulePointerProc__snprintf_s__vsnwprintf_s_l
String ID:
API String ID: 1585518483-0
Opcode ID: 363c9183b2cd937ba1b5c40171552db74a40c07c6d1e315fa0bb96c74a3520ca
Instruction ID: da42615bfd371cd85f69bee80c14b4afc7b5bcfcabb29ac06f9dd7dae1498892
Opcode Fuzzy Hash: 363c9183b2cd937ba1b5c40171552db74a40c07c6d1e315fa0bb96c74a3520ca
Instruction Fuzzy Hash: 5C119A71A0021DABDB11FBA4DCD6FBE3368AB14710F000059F618EB1D1EA749A049761

Uniqueness

Uniqueness Score: -1.00%

Function 00CCC4B9 Relevance: 1.5, APIs: 1, Instructions: 32libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,00CCB631,?,00D331D8,00000010,00CCC3CA,?,00000000,00000060,?,?,?,?,?), ref: 00CCC4F9

Part of subcall function 00CC87FB: OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup), ref: 00CC880F

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: DebugLibraryLoadOutputString
String ID:
API String ID: 137895185-0
Opcode ID: 605dcbd194406cfe484b1f60039f354c0c1694ab893d760c116cb0e0e7dee693
Instruction ID: f761cfe897dbcd0fcdf627dc1a2350df01e3ee5aba7b310a0c906abd7406e12b
Opcode Fuzzy Hash: 605dcbd194406cfe484b1f60039f354c0c1694ab893d760c116cb0e0e7dee693
Instruction Fuzzy Hash: 95F04972D00308EFDF20DF94DC45BADB7B4BB19366F10851EE525E2290C7B89A48EB64

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4440 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB6390: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000136,00000136,00CA2639,?,?,00000200,?,%s\%s,?,version.txt,Utility::GetUserDirectory(),00000000), ref: 00CB63AA

DeleteFileW.KERNELBASE(00000000), ref: 00CB447B

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: ByteCharDeleteFileMultiWide
String ID:
API String ID: 845983722-0
Opcode ID: 2888c51d55bd0950f93b03fbd188b1e701e7e0abbf00de3c6c4b3a6bff580a1a
Instruction ID: 5404d033ae91018d8bb796ff8a3c93586377ec971b919174b6b784542370313a
Opcode Fuzzy Hash: 2888c51d55bd0950f93b03fbd188b1e701e7e0abbf00de3c6c4b3a6bff580a1a
Instruction Fuzzy Hash: EDF089F05043405FDB24FB34D8567AA73D47B98304F85041DE759DB292EA34A505EAA6

Uniqueness

Uniqueness Score: -1.00%

Function 00CEE40D Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CEE420

Part of subcall function 00CF76EA: RtlFreeHeap.NTDLL(00000000,00000000,?,00CFF4A7,?,00000000,?,?,?,00CFF74A,?,00000007,?,?,00CFFC99,?), ref: 00CF7700
Part of subcall function 00CF76EA: GetLastError.KERNEL32(?,?,00CFF4A7,?,00000000,?,?,?,00CFF74A,?,00000007,?,?,00CFFC99,?,?), ref: 00CF7712

Memory Dump Source

Source File: 00000004.00000002.1500609139.0000000000CA1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00CA0000, based on PE: true

Associated: 00000004.00000002.1500592101.0000000000CA0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500668690.0000000000D10000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500706613.0000000000D37000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D3C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D46000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500729069.0000000000D4C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.1500816094.0000000000D4E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0000_TMLauncher.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 12599881d3d2677130f80024f00bcbc44af00aa340e8eb4b04f0b047de0c1231
Instruction ID: e5f7a48745a47eb64b9806f3adc526ac0a8be35274824705d6b1ed7dcab18530
Opcode Fuzzy Hash: 12599881d3d2677130f80024f00bcbc44af00aa340e8eb4b04f0b047de0c1231
Instruction Fuzzy Hash: 80C08C3100020CFBCB009B45C806E9E7BA8EB80364F200044F40457240DAB1EE00A694

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MagDetector.txt

C:\Users\user\AppData\Local\Temp\PCClient.zip

C:\Users\user\AppData\Local\Temp\SVEDetector.txt

C:\Users\user\AppData\Local\Temp\TMInstaller.txt

C:\Users\user\AppData\Local\Temp\TMSetup.txt

C:\Users\user\AppData\Local\Temp\rsp1024h.txt

C:\Users\user\AppData\Local\Temp\tm_starter_dir\ClientDatabase

C:\Users\user\AppData\Local\Temp\tm_starter_dir\InstallService.exe

C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarter.exe

C:\Users\user\AppData\Local\Temp\tm_starter_dir\PCStarterXP.exe

C:\Users\user\AppData\Local\Temp\tm_starter_dir\Sss.exe

C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMDownloader.exe

C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMInstaller.exe

C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

C:\Users\user\AppData\Local\Temp\tm_starter_dir\TMRemover.exe

Windows Analysis Report
SecuriteInfo.com.Trojan.Siggen21.62491.4036.26173.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre